CVE-2026-32628 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 16, 2026
AnythingLLM - SQL Injection
Overview
AnythingLLM <= 1.11.1 contains a SQL injection caused by unsanitized concatenation of the table_name parameter in getTableSchemaSql() method of SQL Agent plugin, letting any user invoking the agent execute arbitrary SQL commands.
Severity & Score
Impact
Any user invoking the SQL Agent plugin can execute arbitrary SQL commands on connected databases, potentially leading to data compromise or manipulation.
Mitigation
Update to a version later than 1.11.1.
References
Social Media Activity(1 post)
A 56,000-Star AI App Shipped With a Textbook SQL Injection Flaw A 56,000-star LLM app ships with raw string concatenation in its database connector. I found it, reported it, got the CVE. Here is th... https://mastodon.social/tags/cybersecurity https://mastodon.social/tags/ai-security https://mastodon.social/tags/offensive-security https://mastodon.social/tags/vulnerability-research https://mastodon.social/tags/anythingllm-cve https://mastodon.social/tags/cve-2026-32628 https://mastodon.social/tags/ai-agent-security https://mastodon.social/tags/sql-injection-flaw https://hackernoon.com/a-56000-star-ai-app-shipped-with-a-textbook-sql-injection-flaw?source=rss | https://awakari.com/sub-details.html?id=LLMs | https://awakari.com/pub-msg.html?id=2se8AWRoBA8DUqBVljsI7t4mk2i&interestId=LLMs
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32628
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- confirmed
- EPSS
- 3.4%
- Social Posts
- 1
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H