CVE-2026-32717
published 2026-03-16CVE-2026-32717: AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in…
PriorityP411low2.7CVSS 3.1
AVNACLPRHUINSUCNILAN
EPSS
0.23%
13.8th percentile
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mintplex-labs | anything-llm | <= 1.11.1 | — |
| mintplexlabs | anythingllm | <= 1.11.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32717 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-32717 [LOW] CVE-2026-32717 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32717 :
Homebrew vulnerability analysis and mitigation
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.
Source : NVD
## 2.7
Score
Published March 16, 2026
Severity LOW
CNA Score 2.7
Affected Technologie
Wiz
CVE-2026-5627 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-5627 [HIGH] CVE-2026-5627 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5627 :
AnythingLLM vulnerability analysis and mitigation
AgentFlows
loadFlow
deleteFlow
server/utils/agentFlows/index.js
path.join
normalizePath
.json
package.json
Source : NVD
## 9.1
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
AnythingLLM
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:mintplexlabs:anythingllm
Sources
NVD
Linux Severity CRITICAL Has Fix Added at: Apr 09, 2026
Windows Severity CRITICAL Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
2026-03-16
Published