Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises when an AnythingLLM agent skill passes a pattern provided by the LLM to the ripgrep tool without an end‑of‑options separator. Ripgrep interprets any argument starting with a dash as an option, so a user‑controlled pattern such as --pre=/bin/sh causes ripgrep to execute /bin/sh with the matched file name as an argument. This allows an attacker who can interact with the agent to run arbitrary commands inside the AnythingLLM server container. The vulnerability is therefore a high‑severity remote code execution flaw linked to unsafe command line construction (CWE‑77) and command injection via a pre‑command option (CWE‑88).

Affected Systems

The vulnerability affects all releases of Mintplex‑Labs AnythingLLM before version 1.13.0, including the default Docker image in which the filesystem plugin is enabled by default. Any deployment that has the filesystem‑search‑files agent skill active and accepts LLM‑controlled patterns is impacted.

Risk and Exploitability

With a CVSS score of 7.5, the risk is considered high. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack path requires an attacker who can submit chat inputs to the agent; by providing a malicious pattern such as --pre=/bin/sh and using the sibling filesystem‑write‑text‑file skill, the attacker can gain command execution capability within the container, compromising confidentiality, integrity, and availability of the host system.

Generated by OpenCVE AI on May 28, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AnythingLLM to version 1.13.0 or later.
  • If an upgrade is not immediately possible, disable or restrict the filesystem‑search‑files agent skill to prevent LLM‑controlled pattern injection.
  • Run the AnythingLLM container with the least privilege necessary, using a non‑privileged user and read‑only file system mounts to limit the impact of potential command execution.
  • Monitor logs for suspicious ripgrep execution or unexpected command execution patterns, and consider implementing an application‑level firewall to block execution of system shells from the container.

Generated by OpenCVE AI on May 28, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs anythingllm
CPEs cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
Vendors & Products Mintplexlabs anythingllm

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs
Mintplexlabs anything-llm
Vendors & Products Mintplexlabs
Mintplexlabs anything-llm

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
Title AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill
Weaknesses CWE-77
CWE-88
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Mintplexlabs Anything-llm Anythingllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:22:53.743Z

Reserved: 2026-05-20T18:46:58.289Z

Link: CVE-2026-48116

cve-icon Vulnrichment

Updated: 2026-05-30T02:22:49.518Z

cve-icon NVD

Status : Modified

Published: 2026-05-28T22:17:01.390

Modified: 2026-05-30T04:17:22.667

Link: CVE-2026-48116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T23:00:16Z

Weaknesses