CVE-2026-32717

Name of the Vulnerable Software and Affected Versions AnythingLLM versions 1.11.1 and earlier

Description AnythingLLM is an application designed to provide context for Large Language Models (LLMs). In multi-user mode, the application fails to block suspended users accessing the system through browser extension API keys, despite blocking them through standard JWT-backed sessions. A suspended user with a valid brx-... browser extension API key can continue to access browser extension endpoints, read workspace metadata, and perform upload or embed operations. The vulnerable API key path allows continued access even after normal authentication is denied.

Recommendations Versions prior to 1.11.1 should be updated. Ensure that browser extension API keys are invalidated or access is revoked upon user suspension.