CVE-2026-32890 in Anchorr
Summary
by MITRE • 03/20/2026
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-32890 affects Anchorr, a Discord bot designed for media request management and notification services. This bot operates within Discord guilds to facilitate user requests for movies and TV shows while providing notifications when content becomes available on media servers. The security flaw resides in the web dashboard's User Mapping dropdown functionality, which represents a critical oversight in input validation and output encoding. The stored cross-site scripting vulnerability allows any unprivileged Discord user within the configured guild to inject malicious JavaScript code that executes in the administrator's browser session, creating a persistent threat vector that can be exploited repeatedly.
The technical exploitation of this vulnerability follows a specific chain of attack vectors that amplifies its impact significantly. An attacker can leverage the stored XSS in the User Mapping dropdown to execute arbitrary JavaScript code within the admin's browser context. This initial foothold becomes particularly dangerous when combined with the GET /api/config endpoint, which is designed to return all configuration data including sensitive credentials. The endpoint fails to implement proper authentication checks or access controls, meaning it serves plaintext secrets to any user who can access it. This design flaw creates a complete credential theft scenario where attackers can extract DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without requiring any authentication to the Anchorr system itself.
The operational impact of this vulnerability extends far beyond simple data theft, as it provides attackers with comprehensive access to the integrated media ecosystem. With the DISCORD_TOKEN, attackers can gain full control over the Discord guild and potentially access other services connected to the same Discord account. The JELLYFIN_API_KEY and JELLYSEERR_API_KEY provide direct access to media server functionality, allowing attackers to manipulate content, modify user permissions, and potentially gain access to private media collections. The JWT_SECRET and WEBHOOK_SECRET enable attackers to forge authentication tokens and manipulate webhook notifications, while the bcrypt password hashes provide the potential to compromise user accounts across the system. This comprehensive credential exposure transforms a simple XSS vulnerability into a complete system compromise scenario that affects multiple interconnected services.
The vulnerability demonstrates a clear violation of several security principles and standards, particularly those related to input validation and access control. According to CWE-79, the stored XSS vulnerability represents a classic weakness in web application security where user-supplied data is not properly sanitized before being rendered in web pages. The improper access control mechanism that exposes sensitive configuration data through the GET /api/config endpoint aligns with CWE-284, which addresses inadequate access control implementations. The attack pattern follows elements of ATT&CK technique T1566, specifically the credential access phase where attackers leverage web application vulnerabilities to obtain authentication tokens and secrets. The lack of authentication checks on the configuration endpoint also violates principle of least privilege and demonstrates poor security architecture design. The vulnerability represents a critical failure in the security model of the application, where a single XSS flaw combined with insecure configuration exposure creates a complete compromise scenario.
Mitigation strategies for this vulnerability should focus on multiple layers of defense to prevent both the initial exploitation and subsequent credential theft. The immediate fix involves updating to version 1.4.2, which implements proper input sanitization for the User Mapping dropdown and adds authentication checks to the /api/config endpoint. Additional security measures include implementing proper output encoding for all user-supplied data in the web dashboard, adding rate limiting and access controls to API endpoints, and implementing proper authentication mechanisms for administrative functions. Organizations should also consider implementing network-level protections such as web application firewalls to detect and block suspicious API requests, and establish monitoring for unusual access patterns to configuration endpoints. Regular security audits of web applications should include comprehensive testing for stored XSS vulnerabilities and access control weaknesses to prevent similar issues from emerging in the future.