Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests.
Published: 2026-03-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Local Network Data Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a permissive cross‑origin resource sharing (CORS) policy combined with the absence of authentication for all HTTP endpoints and the agent WebSocket in default installations of AnythingLLM prior to version 1.11.1. The server accepts requests from any origin, so a malicious web page can issue requests to the local server and read the responses without any credentials. This flaw effectively removes the first line of defense on the application, allowing an attacker who can reach the server over the local network to retrieve or manipulate data that the server should protect. The weakness is further classified as CWE‑1188 (misconfigured cross‑origin resource sharing) and CWE‑942, indicating a design flaw that allows unwanted data disclosure.

Affected Systems

Affected are Mintplex‑Labs AnythingLLM installations running version 1.11.1 or earlier. In these default installations no password or API key has been configured, all HTTP endpoints and the WebSocket are left unauthenticated, and the CORS policy is set to allow any origin. The server binds to 127.0.0.1 by default; however, browsers that implement Private Network Access (PNA) block public websites from making requests to local IP addresses, which means the vulnerability is exploitable only from within the same local area network (LAN). Any machine in the LAN can host a malicious web page that the victim’s browser can load and that can then communicate with the AnythingLLM server.

Risk and Exploitability

The CVSS v3.1 score is 7.1, indicating a high severity flaw that compromises the confidentiality and integrity of data on the host. The EPSS value is less than 1 %, indicating that while the flaw is theoretically serious, the probability of real‑world exploitation is low due to the limited attack vector. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Exploitation requires local network access, use of a browser that loads a malicious site, and the ability to read responses returned with a permissive CORS header. Once these prerequisites are fulfilled, an attacker can send arbitrary requests to the server and consume the returned data, potentially escalating to full data disclosure or modification if lateral movement or network compromise occurs.

Generated by OpenCVE AI on March 16, 2026 at 23:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AnythingLLM to version 1.11.2 or later, which removes the default permissive CORS policy and introduces authentication
  • Configure a strong authentication mechanism (password or API key) on all endpoints and the WebSocket to prevent unauthenticated access
  • Restrict the CORS policy to trusted origins instead of "*" or disable CORS altogether if cross‑domain access is not required
  • Bind the server to 127.0.0.1 and/or place it behind a firewall or VPN to restrict local network exposure
  • Verify that the deployed instance has no unprotected HTTP endpoints or WebSocket listeners before exposing it to potential attackers

Generated by OpenCVE AI on March 16, 2026 at 23:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs anythingllm
CPEs cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
Vendors & Products Mintplexlabs anythingllm

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs
Mintplexlabs anything-llm
Vendors & Products Mintplexlabs
Mintplexlabs anything-llm

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests.
Title AnythingLLM Permissable CORS policy
Weaknesses CWE-1188
CWE-942
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Mintplexlabs Anything-llm Anythingllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T20:09:19.009Z

Reserved: 2026-03-12T15:29:36.557Z

Link: CVE-2026-32617

cve-icon Vulnrichment

Updated: 2026-03-16T20:09:14.369Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:39.630

Modified: 2026-03-16T20:40:06.763

Link: CVE-2026-32617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:00Z

Weaknesses