CVE-2026-32719 in anything-llm
Summary
by MITRE • 03/16/2026
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability identified as CVE-2026-32719 affects AnythingLLM version 1.11.1 and earlier, representing a critical security flaw in the application's plugin import functionality. This issue stems from insufficient input validation during the extraction of ZIP archives containing community plugins. The specific function impacted is ImportedPlugin.importCommunityItemFromUrl() located in server/utils/agents/imported.js, which handles the download and extraction of community hub content. When users import plugins from community sources, the application downloads ZIP files and extracts their contents using AdmZip.extractAllTo() method without performing proper path validation on the archived files. This design flaw creates an exploitable condition that allows malicious actors to manipulate archive contents and execute arbitrary code on the target system.
The technical implementation of this vulnerability follows a classic Zip Slip attack pattern where attacker-controlled ZIP archives contain entries with malicious file paths such as ../etc/passwd or similar directory traversal sequences. When the AdmZip.extractAllTo() method processes these archives, it extracts files to locations outside the intended extraction directory, potentially overwriting critical system files or creating malicious executables in system directories. The vulnerability directly maps to CWE-22 Path Traversal and CWE-400 Uncontrolled Resource Consumption, as the application fails to validate file paths within the ZIP archive before extraction. This weakness enables an attacker to execute arbitrary code with the privileges of the application process, which typically runs with elevated permissions on the server hosting AnythingLLM.
The operational impact of this vulnerability is severe and potentially catastrophic for organizations using AnythingLLM. An attacker who can influence the content of community plugins or gain access to the community hub could execute arbitrary commands on the host system, potentially leading to complete system compromise. The vulnerability affects both the application's integrity and availability, as malicious code execution could result in data exfiltration, system modification, or service disruption. Attackers could leverage this vulnerability to establish persistent access, escalate privileges, or use the compromised system as a launch point for further attacks within the network infrastructure. The attack vector requires minimal user interaction, as the vulnerability is triggered during automated plugin import processes, making it particularly dangerous for environments where community plugins are automatically downloaded and installed.
Mitigation strategies for CVE-2026-32719 should prioritize immediate patching of AnythingLLM to version 1.11.2 or later, which addresses the path traversal vulnerability in the ZIP extraction process. Organizations should implement additional defensive measures including network segmentation to isolate the AnythingLLM application, implementing strict access controls for community plugin sources, and monitoring for suspicious file extraction activities. The application should be configured to validate all file paths within ZIP archives before extraction, rejecting any entries that attempt directory traversal attacks. Security controls should include implementing proper input validation, using secure extraction libraries that prevent path traversal, and establishing automated scanning of imported plugins for malicious content. Organizations should also consider implementing principle of least privilege for the application process, limiting its filesystem access and permissions to reduce potential damage from successful exploitation attempts. The vulnerability aligns with ATT&CK technique T1059 Command and Scripting Interpreter and T1021.002 Remote Services, as exploitation would involve executing commands through the compromised application and potentially leveraging remote access capabilities.