Home / Vulnerability Intelligence / CVE-2026-32717

CVE-2026-32717 - Vulnerability Analysis

LowCVSS: 2.7

Last Updated: March 16, 2026

AnythingLLM - Broken Access Control

Published: March 16, 2026Updated: March 16, 2026PoC AvailableRemote Exploitable

Overview

AnythingLLM <= 1.11.1 contains a broken access control caused by failure to block suspended users on browser extension API key path, letting suspended users access workspace metadata and perform operations, exploit requires valid browser extension API key.

Severity & Score

Severity: Low

CVSS Score: 2.7

Impact

Suspended users can bypass restrictions to access metadata and perform upload/embed operations, undermining access control policies.

Mitigation

Update to the latest version that properly blocks suspended users on all access paths.

References

https://github.com/Mintplex-Labs/anything-llm/commit/a207449095158f28c7e16acf113356b336c87803
https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-7754-8jcc-2rg3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32717
Severity: Low
CVSS Score: 2.7
Type: broken_access_control
Status: confirmed

CWE

CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N