CVE-2026-32717 LOW

CVE-2026-32717: AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys

Vendor Mintplex-Labs
Product anything-llm
Weakness CWE-863 · Incorrect authorization
Published March 13, 2026
Last update March 16, 2026

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.

Key dates

02Disclosure timeline

March 13, 2026 CVE published
March 16, 2026 Record updated