CVE-2026-32628: Mintplexlabs AnythingLLM SQLi Vulnerability

CVE-2026-32628 Overview

CVE-2026-32628 is a SQL Injection vulnerability affecting AnythingLLM, an application that transforms various content into contextual references for Large Language Models (LLMs) during chat interactions. The vulnerability exists in versions 1.11.1 and earlier within the built-in SQL Agent plugin, allowing any authenticated user who can invoke the agent to execute arbitrary SQL commands on connected databases.

Critical Impact

Authenticated users can execute arbitrary SQL commands on connected MySQL, PostgreSQL, and MSSQL databases through the SQL Agent plugin, potentially leading to data exfiltration, modification, or destruction.

Affected Products

• Mintplex Labs AnythingLLM versions 1.11.1 and earlier
• SQL Agent plugin with MySQL connector
• SQL Agent plugin with PostgreSQL connector
• SQL Agent plugin with MSSQL connector

Discovery Timeline

• 2026-03-16 - CVE-2026-32628 published to NVD
• 2026-03-16 - Last updated in NVD database

Technical Details for CVE-2026-32628

Vulnerability Analysis

This SQL Injection vulnerability stems from improper input handling in the SQL Agent plugin's database connectors. The getTableSchemaSql() method across all three supported database connectors (MySQL, PostgreSQL, and MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter. This approach bypasses any input sanitization or parameterization, creating a direct injection point that authenticated users can exploit through the agent interface.

The vulnerability is particularly concerning in the context of LLM applications, where users interact with databases through natural language prompts that are translated into SQL queries. An attacker can craft malicious input that, when processed by the agent, results in arbitrary SQL command execution on the connected database.

Root Cause

The root cause is a classic SQL Injection flaw (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The vulnerable code directly concatenates user-supplied input into SQL query strings without proper sanitization or the use of parameterized queries (prepared statements). This allows attackers to break out of the intended query structure and inject arbitrary SQL commands.

Attack Vector

The attack vector is network-based and requires low-privilege authentication. An attacker must have valid credentials to access the AnythingLLM application and be able to invoke the SQL Agent plugin. Once authenticated, the attacker can submit specially crafted table names or parameters through the agent interface that contain SQL injection payloads. These payloads are then executed directly against the connected database with the privileges of the database connection configured in AnythingLLM.

The following patch demonstrates how the vulnerability was fixed by implementing parameterized queries in the MSSQL connector:

   /**
    *
    * @param {string} queryString the SQL query to be run
+   * @param {Array} params optional parameters for prepared statement
    * @returns {Promise<import(".").QueryResult>}
    */
-  async runQuery(queryString = "") {
+  async runQuery(queryString = "", params = []) {
     const result = { rows: [], count: 0, error: null };
     try {
       if (!this.#connected) await this.connect();

-      const query = await this._client.query(queryString);
+      const request = this._client.request();
+      params.forEach((value, index) => {
+        request.input(`p${index}`, value);
+      });
+      const query = await request.query(queryString);
       result.rows = query.recordset;
       result.count = query.rowsAffected.reduce((sum, a) => sum + a, 0);
     } catch (err) {

Source: GitHub Commit

A similar fix was applied to the MySQL connector:

   /**
    *
    * @param {string} queryString the SQL query to be run
+   * @param {Array} params optional parameters for prepared statement
    * @returns {Promise<import(".").QueryResult>}
    */
-  async runQuery(queryString = "") {
+  async runQuery(queryString = "", params = []) {
     const result = { rows: [], count: 0, error: null };
     try {
       if (!this.#connected) await this.connect();
-      const [query] = await this._client.query(queryString);
+      const [query] =
+        params.length > 0
+          ? await this._client.execute(queryString, params)
+          : await this._client.query(queryString);
       result.rows = query;
       result.count = query?.length;
     } catch (err) {

Source: GitHub Commit

Detection Methods for CVE-2026-32628

Indicators of Compromise

• Unusual SQL error messages in AnythingLLM application logs indicating malformed queries
• Database audit logs showing unexpected queries containing SQL keywords like UNION, DROP, DELETE, or INSERT from the AnythingLLM service account
• Evidence of data exfiltration or unauthorized schema enumeration in database logs
• Anomalous agent invocations with table names containing special characters or SQL syntax

Detection Strategies

• Implement database activity monitoring (DAM) to detect SQL injection patterns in queries originating from AnythingLLM
• Enable detailed logging for the SQL Agent plugin and monitor for queries containing suspicious patterns
• Configure Web Application Firewall (WAF) rules to inspect requests to the AnythingLLM application for SQL injection payloads
• Review authentication logs for unusual agent access patterns or privilege escalation attempts

Monitoring Recommendations

• Enable database audit logging for all connections from AnythingLLM instances
• Monitor for failed SQL query attempts that may indicate injection testing
• Set up alerts for any direct schema queries or system table access from the application
• Review agent invocation logs regularly for suspicious input patterns

How to Mitigate CVE-2026-32628

Immediate Actions Required

• Upgrade AnythingLLM to a version newer than 1.11.1 that contains the security patch
• If immediate upgrade is not possible, disable the SQL Agent plugin until patching is complete
• Review database access logs for any evidence of exploitation
• Restrict database connection privileges used by AnythingLLM to minimum required permissions
• Implement network segmentation between AnythingLLM and connected databases

Patch Information

Mintplex Labs has released a security patch addressing this vulnerability. The fix implements parameterized queries across all three database connectors (MySQL, PostgreSQL, and MSSQL) to properly sanitize user input. The patch is available in commit 334ce052f063b53a4275518cbed3bab357695d7e. Users should update to the latest version of AnythingLLM that includes this fix. For detailed information, refer to the GitHub Security Advisory.

Workarounds

• Disable the SQL Agent plugin entirely if not required for business operations
• Implement strict input validation at the application layer before queries reach the SQL Agent
• Use database firewall rules to restrict the types of queries that can be executed
• Create read-only database accounts for AnythingLLM connections where full write access is not required

# Configuration example: Restrict database user privileges (MySQL example)
# Create a restricted read-only user for AnythingLLM
CREATE USER 'anythingllm_readonly'@'localhost' IDENTIFIED BY 'secure_password';
GRANT SELECT ON target_database.* TO 'anythingllm_readonly'@'localhost';
FLUSH PRIVILEGES;

# Update AnythingLLM database connection to use restricted account