CVE-2026-32715

Exploit

EPSS 0.03%
Veröffentlicht 13.03.2026 21:22:00
Zuletzt bearbeitet 16.03.2026 20:00:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mintplexlabs ≫ Anythingllm Version <= 1.11.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.083

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	3.8	1.2	2.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p

Vendor Advisory

Exploit

https://github.com/Mintplex-Labs/anything-llm/commit/732eac6fa89f43288bbb65ecc6298ebcd96b7aeb

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-32715

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32715

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32715

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32715