CVE-2026-32715 LOW

CVE-2026-32715: AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences

Vendor Mintplex-Labs
Product anything-llm
Weakness CWE-863 · Incorrect authorization
Published March 13, 2026
Last update March 16, 2026
View on NVD All CVEs

CVSS base score

3.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.

Key dates

02Disclosure timeline

March 13, 2026 CVE published
March 16, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-4274 Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access CVE-2026-32228 Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to CVE-2025-2515 Bluechi: privilege escalation in bluechi via unrestricted cross-node systemd dependencies CVE-2026-35596 Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug CVE-2022-34397