CVE-2026-32715

Name of the Vulnerable Software and Affected Versions AnythingLLM versions 1.11.1 and earlier

Description AnythingLLM is an application designed to provide context for Large Language Models (LLMs). A discrepancy exists where two generic system-preferences API endpoints, ''/system-preferences'' and ''/system-preferences/{id}'', allow access to users with the manager role, while other interfaces for the same settings are restricted to administrators. This inconsistency allows a manager to directly access plaintext SQL database credentials and modify administrator-only global settings, including the default system prompt and the Community Hub API key. The vulnerable parameters are not explicitly mentioned.

Recommendations Versions prior to 1.11.1 should be updated. As a temporary workaround, restrict direct access to the ''/system-preferences'' and ''/system-preferences/{id}'' API endpoints for manager roles.