AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Fri, 13 Mar 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key. | |
| Title | AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences | |
| Weaknesses | CWE-863 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-03-13T21:22:00.783Z
Reserved: 2026-03-13T14:33:42.824Z
Link: CVE-2026-32715
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.