CVE-2026-32617 is a vulnerability in Mintplex-Labs' AnythingLLM application, versions 1.11.1 and earlier, caused by an overly permissive cross-origin resource sharing (CORS) policy that accepts requests from any origin. Additionally, when the application is installed with default settings and no password or API key configured, all HTTP endpoints and the agent WebSocket interface lack authentication controls. This combination allows an attacker on the same local network to perform unauthorized actions by sending crafted requests to the AnythingLLM server. The application binds to 127.0.0.1 by default, limiting exposure to local machine access, but the lack of authentication and open CORS policy extends risk to other devices on the local network. Modern browsers implement Private Network Access (PNA) to prevent public websites from making requests to private IP ranges, which mitigates remote exploitation from the internet but does not protect against local network attackers. The vulnerability is categorized under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains) and CWE-1188 (Improper Access Control). The CVSS v3.1 base score is 7.1, reflecting high severity due to the potential for unauthorized data access and manipulation without requiring authentication, though user interaction is required to trigger the exploit. No patches or exploits in the wild are currently documented, but the risk remains significant for local network environments where AnythingLLM is deployed without proper security configurations.

The vulnerability allows attackers on the same local network to bypass authentication and interact with AnythingLLM's HTTP and WebSocket interfaces, potentially accessing sensitive data or manipulating the application's behavior. This compromises confidentiality and integrity of the data processed by the LLM, which may include proprietary or sensitive content references. Although availability impact is low, unauthorized access could lead to data leakage, injection of malicious context into LLM queries, or disruption of normal application operations. Organizations relying on AnythingLLM for internal knowledge management or AI-driven workflows are at risk of internal threat actors or compromised devices within their LAN exploiting this vulnerability. The risk is heightened in environments with lax network segmentation or where users connect to shared networks. Since exploitation requires local network access, remote attackers are largely mitigated by browser PNA protections, but insider threats or malware on the LAN remain significant concerns.

To mitigate this vulnerability, organizations should immediately configure AnythingLLM to require strong authentication via passwords or API keys, ensuring no endpoints are accessible without credentials. Administrators should restrict the CORS policy to allow only trusted, specific origins rather than accepting any origin. Network segmentation should be enforced to isolate AnythingLLM servers from untrusted devices on the LAN. Employ firewall rules or host-based access controls to limit access to the 127.0.0.1 interface or the ports used by AnythingLLM, preventing unauthorized local network access. Monitor network traffic for unusual requests to AnythingLLM endpoints and implement logging to detect potential exploitation attempts. Users should update to versions beyond 1.11.1 once patches are released. Additionally, educating users about the risks of connecting to untrusted local networks and enforcing endpoint security can reduce the attack surface. Since no patches are currently available, these compensating controls are critical to reduce risk.