Authorization Flaw in AnythingLLM Browser Extension API
CVE-2026-32717

2.7LOW

Key Information:

Vendor: Mintplex-labs
Status: Anything-llm
Vendor: CVE Published:; 13 March 2026

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2026-32717?

In the AnythingLLM application, an authorization flaw allows suspended users to continue utilizing their valid browser extension API keys. While user access is restricted on the normal JWT-backed session path during multi-user operations, this restriction is not enforced for the browser extension API. Consequently, suspended users retain the ability to access sensitive workspace metadata and perform upload or embed operations, undermining the overall security and integrity of the application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

anything-llm <= 1.11.1

References

https://github.com/Mintplex-Labs/anything-llm/security/ad...

x_refsource_CONFIRM

https://github.com/Mintplex-Labs/anything-llm/commit/a207...

x_refsource_MISC

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 13, 2026

JSON

Mintplex-labs

What is CVE-2026-32717?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.