CVE-2026-32617 in anything-llm
Summary
by MITRE • 03/16/2026
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/16/2026
CVE-2026-32617 represents a critical authentication and access control vulnerability within AnythingLLM version 1.11.1 and earlier releases. This vulnerability stems from the application's default configuration that fails to enforce proper authentication mechanisms for its HTTP endpoints and WebSocket connections used by the agent. The flaw exists specifically in default installations where no password or API key has been configured, creating a dangerous attack surface that allows unauthorized access to sensitive functionality. The vulnerability manifests through the server's overly permissive Cross-Origin Resource Sharing (CORS) policy which accepts requests from any origin, combined with the complete absence of authentication checks for HTTP endpoints and WebSocket connections. This combination effectively removes all access controls, making the entire application vulnerable to exploitation by any attacker who can reach the system through the local network.
The technical implementation of this vulnerability leverages the application's default binding behavior where AnythingLLM Desktop operates on the loopback interface 127.0.0.1, which is designed to accept connections only from the local machine. However, the absence of authentication combined with the permissive CORS policy creates a path for exploitation within local network environments. The vulnerability specifically affects the HTTP endpoints and agent WebSocket connections that are accessible without any form of authentication, allowing attackers to interact with the application's functionality directly through these interfaces. The CORS policy configuration that accepts any origin means that malicious actors could potentially craft web pages that interact with the AnythingLLM instance, though the browser's Private Network Access restrictions provide some protection against remote exploitation from public websites.
The operational impact of this vulnerability is significant as it allows an attacker within the same local network to gain unauthorized access to the application's functionality, potentially enabling them to manipulate content, access sensitive data, or even execute arbitrary commands depending on the application's capabilities. The vulnerability's exploitation is limited to local network environments due to browser-level security restrictions such as Private Network Access (PNA) implemented in modern browsers including Chrome, Edge, and Firefox. These browser restrictions explicitly block public websites from making requests to local IP addresses, which effectively prevents remote exploitation from the internet. However, within the confines of a local network, an attacker could potentially leverage this vulnerability to compromise the system through various attack vectors including man-in-the-middle attacks or by hosting malicious web content on compromised devices within the same network.
This vulnerability aligns with CWE-306 (Missing Authentication) and CWE-346 (Origin Validation) as identified in the Common Weakness Enumeration catalog, representing failures in authentication mechanisms and origin validation respectively. The attack pattern corresponds to techniques described in the MITRE ATT&CK framework under T1190 (Exploit Public-Facing Application) and T1071.004 (Application Layer Protocol: DNS) where attackers might leverage misconfigured applications to gain unauthorized access. The vulnerability's nature also relates to T1566 (Phishing) as attackers could potentially craft phishing attacks within the local network to exploit this weakness. Organizations should implement immediate mitigations including enforcing authentication through password or API key configuration, implementing proper CORS policies that restrict origins to trusted domains, and ensuring that default installations are not left in insecure states. Network segmentation and firewall rules should be implemented to restrict access to the AnythingLLM service to authorized hosts only, while regular security audits should be conducted to verify that authentication mechanisms remain properly configured.