AnythingLLM Agent Security Risks

General Assistant Agents anythingllm.com Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (1) ATTACK SURFACE (7.6) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3.08
Critical
Attack Surface
7.6
Critical
Blast Radius
6.38
High
Defense Controls
1
Critical
About The Agent

AnythingLLM is an open-source, model-agnostic AI assistant that bundles RAG document ingestion, built-in agent tools, custom NodeJS skill execution, and a community plugin hub into a single server process. It deploys as a Desktop Electron application, a Docker container, or a managed cloud instance. The default configuration exposes multiple attacker-reachable surfaces — web scraping, document uploads, SQL execution, file system access, and email integrations — without input filtering, execution isolation, or per-action approval gates. Nine CVEs with CVSS scores ranging from 4.2 to 9.6 have been publicly disclosed.

About the AI Risk Quadrant

Exposed Giants agents present high attack surface exposure (X ≥ 5) with moderate blast radius (Y < 7), indicating that an attacker can reach numerous input channels and tool interfaces but the downstream damage of each exploitation path is partially bounded. AnythingLLM scores 7.60 on attack surface and 6.38 on blast radius with a defense controls score of 1 out of 15. Operators should prioritize restricting untrusted input channels and enabling authentication on every deployment before pursuing deeper blast-radius containment.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. AnythingLLM presents a uniformly weak risk posture across all five defense components on its default configuration, with no input filtering, no execution isolation, and no action controls.

Key Input Risks
The unauthenticated chat API accepts requests from any origin via permissive CORS, making the zero-click input channel the highest-impact surface on the default configuration. Document uploads, web scraping, community hub plugins, and MCP servers add further untrusted input paths without filtering; operators should disable unauthenticated access and restrict upload sources immediately.
Key Execution Risks
Custom agent skills execute arbitrary NodeJS code within the server process, and the SQL Agent runs queries against connected databases with no parameterization. The Desktop Electron app runs with nodeIntegration enabled and contextIsolation disabled, granting browser-context code full host-OS access.
Key Action Risks
All agent tool invocations fire autonomously without per-action operator approval on the default single-user configuration, which exposes the full API without authentication. The highest-blast-radius scope includes unrestricted SQL execution, file system read/write, and outbound network requests via built-in tools.
Key Output Risks
LLM-generated output is rendered through dangerouslySetInnerHTML in the PromptReply component and the Chartable caption renderer without DOMPurify sanitization on the default configuration. No DLP, exfiltration blocking, credential redaction, or URL sanitization is documented by the vendor for any deployment mode.
Key Monitoring Risks
AnythingLLM provides file-based logging and optional anonymous PostHog telemetry on the default configuration with no SIEM integration or anomaly detection documented. Tool invocations, document ingestion events, and cross-workspace data access patterns are not logged at a granularity supporting forensic investigation.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. AnythingLLM's AIRQ composite of 2.70 reflects high attack surface exposure and near-absent vendor defenses that leave the operator responsible for every hardening control.

AIRQ Metrics

AnythingLLM places in the Exposed Giants quadrant with an attack surface of 7.60, a blast radius of 6.38, and defense controls of 1.

Attack surface and blast radius are scored out of 10, defense controls out of 15; lower AIRQ composites indicate greater operator hardening burden before production use.

Metric Score Comments
AIRQ Score 3.08 Low composite indicates that the operator must deploy external hardening controls before production use on any deployment mode.
Blast Radius 6.38 / 10 Code execution, file system, network, and credential access all score 3 of 4, bounded only by the absence of scheduling and deployment tools.
Attack Surface 7.6 / 10 Six of ten surfaces score at or above the scale midpoint, with tool execution and output processing at the ceiling; trifecta-complete.
Defense Controls 1 / 15 Only basic monitoring scores above zero; the vendor documents no input filtering, no execution isolation, no approval gates, and no output sanitization.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. AnythingLLM's reasoning loop ingests untrusted content from web scraping, document uploads, community plugins, and unauthenticated API calls, then executes tools against databases, filesystems, and external services.

Attack Surface Metrics

Higher scores indicate surfaces with demonstrated exploitation chains; tool execution, output processing, and configuration reach the scale ceiling at 5.0 due to critical CVEs.

Each row maps a named surface to its adjusted score and a comment citing the specific vulnerability or architectural gap that grounds the rating.

Surface Score Comments
User Input 4 / 4 Default installs accept chat API requests from any origin via permissive CORS with no authentication required [13].
External Data 4 / 4 Web scraper fetches attacker-controlled URLs with demonstrated SSRF [9] and the DrupalWiki integration allows arbitrary file write via path traversal [3].
Memory 3 / 4 Workspace documents persist in the vector database across chat sessions; indirect prompt injection via RAG documents achieves cross-session attack persistence [11].
Reasoning 3 / 4 The agent trusts LLM-generated tool-call arguments without parameter validation, enabling SQL injection via reasoning output [12].
Planning 2 / 4 Multi-step tool chaining within a single session with no subagent delegation, scheduling, or background task execution [16].
Tool Execution 5 / 4 SQL Agent demonstrated OS command execution via stacked queries [2] and streaming XSS escalated to host-OS RCE via Electron misconfiguration [1].
Orchestration 2 / 4 Single-session orchestration via the AIbitat conversation engine with no daemon mode or unsupervised background execution [22].
Inter-Agent 4.5 / 4 Community hub plugin import is vulnerable to Zip Slip path traversal allowing arbitrary code execution from a malicious skill package [4].
Output Processing 5 / 4 PromptReply renders LLM output via dangerouslySetInnerHTML without DOMPurify [1] and the chart caption renderer has a separate stored DOM XSS path [5][14].
Configuration 5 / 4 Default installs bind to 0.0.0.0 with permissive CORS and no authentication [13]; path traversal deletes files including the application database [8].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. AnythingLLM ingests untrusted documents and web content into a workspace that stores credentials and database records, with unrestricted outbound HTTP; enabling authentication alone breaks the unauthenticated-input dimension.

Lethal Trifecta · Complete (3 of 3)

AnythingLLM exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Six attacker-reachable channels — chat API, file uploads, web scraping, plugin imports, MCP connectors, and browser extension — feed untrusted bytes directly into the workspace reasoning loop [10].
  • Sensitive data — The SQL Agent accesses database records, QdrantApiKey leakage grants vector DB access [7], and all workspaces share a system-wide vector database [21].
  • External egress — Web browsing, web scraping, and email integrations make unrestricted outbound requests with no egress filtering or domain allowlisting documented [9].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised AnythingLLM instance reaches host-level code execution, arbitrary file system access, unrestricted outbound network requests, and exposed API credentials; cloud deployments add AWS-hosted data stores and vendor telemetry collection [19].

Blast Radius Metrics

Higher blast scores indicate broader downstream impact from a single exploitation path; code execution, files, network, and credentials all score 3 of 4.

Each row maps a blast factor to its score and a comment citing the tool or integration that carries the demonstrated or documented impact.

Factor Score Comments
Code execution 3 / 4 Custom agent skills run arbitrary NodeJS on the server [20] and SQL Agent demonstrated OS command execution via PostgreSQL COPY TO PROGRAM [2].
File system access 3 / 4 File System Agent grants read/write to operator-specified host directories [17]; path traversal historically enabled deletion of arbitrary files [8].
Network access 3 / 4 Web browsing and web scraping make unrestricted outbound HTTP requests; SSRF via the link collector demonstrated internal network scanning [9].
Credential access 3 / 4 QdrantApiKey exposed via unauthenticated endpoint [7]; custom skills run in the server process with access to process.env, exposing all configured API keys and connection strings.
Autonomous action 2 / 4 Agent tools fire autonomously within a user session but no scheduling, daemon mode, or trigger-based execution is documented [16].
Deployment access 1 / 4 Blast radius is limited by the absence of built-in deployment, infrastructure modification, or CI/CD tools in the documented agent architecture [16].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. AnythingLLM ships without input filtering, execution isolation, approval gates, or output sanitization on the default configuration; only basic file-based logging is present.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-implemented safeguards; AnythingLLM scores 1 of 15, meaning 14 defense points are absent from the vendor default.

Each component is scored from 0 to 3 based on whether the vendor implements the control by default or leaves it to the operator.

Component Score Comments
Input Guardrails 0 / 3 No prompt-injection detection or content filtering documented; cross-prompt injection via workspace documents was independently demonstrated with no vendor remediation [10].
Execution Isolation 0 / 3 Desktop Electron runs with nodeIntegration enabled and contextIsolation disabled; Docker requires SYS_ADMIN; no sandbox or process isolation documented [11].
Action Controls 0 / 3 No per-tool approval gates or domain restrictions on default installs [13]; IDOR on the TTS endpoint confirms missing ownership validation [6].
Output Guardrails 0 / 3 DOMPurify missing from PromptReply and Chartable rendering paths [1]; the HuntR catalog documents additional XSS vectors via SVG uploads [15].
Monitoring 1 / 3 Self-hosted deployments provide file-based logging [18]; no SIEM forwarding, no anomaly detection, no per-action audit trail across any deployment mode.

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize enabling authentication, restricting untrusted input channels, and adding output sanitization before addressing deeper isolation and monitoring controls.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all uploaded documents and web-scraped content to pass through a security review gate before ingestion into any workspace.
  • Configuration Set AUTH_TOKEN and JWT_SECRET environment variables on every deployment and disable the unauthenticated API by configuring a reverse proxy with origin restrictions.
  • Engineering Deploy a prompt-injection detection model as a preprocessing middleware on the chat and document upload endpoints.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Require all custom agent skills to be reviewed and approved by a security team before deployment to production instances.
  • Configuration Run AnythingLLM in Docker with --security-opt=no-new-privileges, drop SYS_ADMIN, and bind-mount only the minimum required directories.
  • Engineering Patch the Electron configuration to enable contextIsolation and disable nodeIntegration; wrap custom skill execution in a worker_threads sandbox.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require explicit operator approval for enabling the SQL Agent, File System Agent, and email integrations on production deployments.
  • Configuration Disable all agent tools by default and enable only the minimum required set per workspace via workspace settings.
  • Engineering Implement a pre-execution hook on the AIbitat tool-call pipeline that enforces parameterized-query-only SQL and restricts file paths to workspace storage.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Require all LLM output rendered in chat to pass through DOMPurify before DOM insertion; treat all model output as untrusted.
  • Configuration Configure a Content Security Policy header on the AnythingLLM server that blocks inline scripts and restricts script-src to self.
  • Engineering Add DOMPurify.sanitize calls to the PromptReply streaming renderer and the Chartable caption component to strip event-handler attributes.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require structured logging of all agent tool invocations, document ingestion events, and authentication attempts with 90-day retention.
  • Configuration Configure the server to forward structured logs to a SIEM via syslog or a log-shipping agent for centralized analysis.
  • Engineering Instrument the AIbitat engine with OpenTelemetry tracing and alert on unusual tool-call frequency, cross-workspace document access, and outbound requests to non-allowlisted domains.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2026-32626 Streaming XSS to host-OS RCE via insecure Electron config (CVSS 9.6); patched in v1.11.2
  2. CVE-2026-32628 SQL injection in SQL Agent plugin via unsanitized table_name (CVSS 8.8); patched post-v1.11.1
  3. CVE-2026-24478 Path traversal in DrupalWiki integration allowing arbitrary file write and RCE (CVSS 7.2); patched in v1.10.0
  4. CVE-2026-32719 Zip Slip in community hub plugin import allows arbitrary code execution (CVSS 4.2); patched via commit 6a492f0
  5. CVE-2026-41318 Stored DOM XSS in chart caption renderer via indirect prompt injection; patched in v1.12.1
  6. CVE-2026-42456 IDOR on TTS endpoint exposing other users chat audio (CVSS 4.3); patched in v1.12.1
  7. CVE-2026-24477 QdrantApiKey leakage via unauthenticated endpoint granting vector DB read/write (CVSS 5.3); patched in v1.10.0
  8. CVE-2024-0549 Path traversal enabling deletion of arbitrary files including anythingllm.db (CVSS 8.1); patched in v1.0.0
  9. CVE-2024-0759 SSRF via web scraper enabling internal network scanning and EC2 metadata access; patched via commit 0db6c3b

Selected Research

  1. AnythingLLM under the Microscope mgm security partners found CVE-2025-44822 XPIA enabling persistent exfiltration via document injection; vendor unresponsive
  2. GHSA-rrmw-2j6x-4mf2 Streaming XSS to host-OS RCE in Desktop via indirect prompt injection through RAG documents; Electron runs with nodeIntegration enabled
  3. GHSA-jwjx-mw2p-5wc7 SQL injection via LLM tool-call arguments demonstrating PII extraction and OS command execution
  4. GHSA-24qj-pw4h-3jmm Permissive CORS and unauthenticated API on default installs enabling drive-by agent invocation from any origin
  5. GHSA-4q6m-qh3w-9gf5 Stored DOM XSS via indirect prompt injection through LLM-generated chart captions
  6. HuntR AnythingLLM bounty catalog More than twenty disclosed vulnerabilities including path traversals and stored XSS via SVG uploads

Vendor Documentation

  1. AnythingLLM agent usage overview Vendor documents built-in agent tools including RAG search, web browsing, web scraping, SQL agent, and file system agent
  2. File System Agent documentation File system agent disabled by default; requires explicit per-folder grants; Docker constrains to bound volumes
  3. Self-hosted data privacy terms No external data access; optional PostHog telemetry; user responsible for host security
  4. AnythingLLM Cloud privacy policy AWS-hosted infrastructure; PostHog and Stripe data collection; permanent deletion on account cancellation

Other Sources

  1. Custom agent skills introduction Custom skills run arbitrary NodeJS code including OS invocations within the server process
  2. Vector database configuration overview Vector DB is system-wide and cannot be configured per-workspace; LanceDB is the default
  3. AnythingLLM agent system architecture AIbitat conversation engine with five plugin types and MCP server compatibility