SQL Injection Vulnerability in AnythingLLM Application by Mintplex Labs
CVE-2026-32628

7.7HIGH

Key Information:

Vendor: Mintplex-labs
Status: Anything-llm
Vendor: CVE Published:; 13 March 2026

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2026-32628?

The AnythingLLM application, utilized for transforming content into usable context for various language models, is susceptible to a SQL injection flaw that allows any user with access to the built-in SQL Agent plugin to execute arbitrary SQL commands on associated databases. This vulnerability arises from the getTableSchemaSql() method within all three database connectors—MySQL, PostgreSQL, and MSSQL—where SQL queries are formed through direct string concatenation of the user-supplied table_name parameter, devoid of necessary sanitization or parameterization, potentially leading to severe security risks.

Affected Version(s)

anything-llm <= 1.11.1

References

https://github.com/Mintplex-Labs/anything-llm/security/ad...

x_refsource_CONFIRM

https://github.com/Mintplex-Labs/anything-llm/commit/334c...

x_refsource_MISC

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 12, 2026

CVE-2026-32628 Data

JSON