{ "affected": [ { "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "732eac6fa89f43288bbb65ecc6298ebcd96b7aeb" } ], "repo": "https://github.com/mintplex-labs/anything-llm", "type": "GIT" } ] } ], "aliases": [ "GHSA-wfq3-65gm-3g2p" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-863" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32715.json" }, "details": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.", "id": "CVE-2026-32715", "modified": "2026-04-01T23:08:04.134891965Z", "published": "2026-03-13T21:22:00.783Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32715.json" }, { "type": "ADVISORY", "url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32715" }, { "type": "FIX", "url": "https://github.com/Mintplex-Labs/anything-llm/commit/732eac6fa89f43288bbb65ecc6298ebcd96b7aeb" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "type": "CVSS_V3" } ], "summary": "AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences" }