CVE-2026-32715
- Source
- https://cve.org/CVERecord?id=CVE-2026-32715
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32715.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32715
- Aliases
-
- GHSA-wfq3-65gm-3g2p
- Published
- 2026-03-13T21:22:00.783Z
- Modified
- 2026-04-10T05:42:26.114229Z
- Severity
-
- 3.8 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences
- Details
-
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.
- Database specific
{ "cwe_ids": [ "CWE-863" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32715.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32715.json
- https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p
- https://nvd.nist.gov/vuln/detail/CVE-2026-32715
- https://github.com/Mintplex-Labs/anything-llm/commit/732eac6fa89f43288bbb65ecc6298ebcd96b7aeb
Affected packages
Git / github.com/mintplex-labs/anything-llm
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mintplex-labs/anything-llm
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed