CVE-2026-32717
- Source
- https://cve.org/CVERecord?id=CVE-2026-32717
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32717.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32717
- Aliases
-
- GHSA-7754-8jcc-2rg3
- Published
- 2026-03-13T21:23:48.659Z
- Modified
- 2026-04-10T05:42:26.623688Z
- Severity
-
- 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys
- Details
-
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32717.json", "cwe_ids": [ "CWE-863" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32717.json
- https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-7754-8jcc-2rg3
- https://nvd.nist.gov/vuln/detail/CVE-2026-32717
- https://github.com/Mintplex-Labs/anything-llm/commit/a207449095158f28c7e16acf113356b336c87803
Affected packages
Git / github.com/mintplex-labs/anything-llm
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mintplex-labs/anything-llm
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed