CVE-2026-32617 - Vulnerability Analysis
HighCVSS: 7.1Last Updated: March 16, 2026
AnythingLLM - Authentication Bypass
Published: March 16, 2026Updated: March 16, 2026PoC AvailableRemote Exploitable
Overview
AnythingLLM <= 1.11.1 contains an authentication bypass caused by missing password or API key configuration and permissive CORS policy, letting local network attackers access all HTTP endpoints and WebSocket, exploit requires attacker to be on the same LAN.
Severity & Score
Severity: High
CVSS Score: 7.1
Impact
Local network attackers can access all endpoints without authentication, potentially leading to unauthorized data access or control.
Mitigation
Configure a password or API key and restrict CORS policy; update to the latest version.
Related Resources
Details
- CVE ID
- CVE-2026-32617
- Severity
- High
- CVSS Score
- 7.1
- Type
- broken_authentication
- Status
- confirmed
CWE
- CWE-942
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L