Authorization Flaw in AnythingLLM Browser Extension API
CVE-2026-32717

2.7LOW

Key Information:

Vendor: Mintplex-labs
Status: Anything-llm
Vendor: CVE Published:; 13 March 2026

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2026-32717?

In the AnythingLLM application, an authorization flaw allows suspended users to continue utilizing their valid browser extension API keys. While user access is restricted on the normal JWT-backed session path during multi-user operations, this restriction is not enforced for the browser extension API. Consequently, suspended users retain the ability to access sensitive workspace metadata and perform upload or embed operations, undermining the overall security and integrity of the application.

Affected Version(s)

anything-llm <= 1.11.1

References

https://github.com/Mintplex-Labs/anything-llm/security/ad...

x_refsource_CONFIRM

https://github.com/Mintplex-Labs/anything-llm/commit/a207...

x_refsource_MISC

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-32717 Data

JSON