CVE-2026-32617

Name of the Vulnerable Software and Affected Versions AnythingLLM versions 1.11.1 and earlier

Description AnythingLLM is an application designed to provide context for Large Language Models (LLMs). On default installations without a configured password or API key, all HTTP endpoints and the agent WebSocket are accessible without authentication. The server’s Cross-Origin Resource Sharing (CORS) policy allows requests from any origin. The application, by default, binds to the loopback address 127.0.0.1. Exploitation is limited to the local network (LAN) due to browser-level security features that prevent public websites from accessing local IP addresses. The application’s functionality involves turning content into context for LLMs during chat interactions.

Recommendations Versions prior to 1.11.1 should be updated. Configure a strong password or API key for the application. Review and restrict the CORS policy to only allow requests from trusted origins.