CVE-2026-32719 Overview
CVE-2026-32719 is a Path Traversal vulnerability affecting AnythingLLM, an application that transforms pieces of content into context that any LLM can use as references during chatting. In versions 1.11.1 and earlier, the ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
Critical Impact
This vulnerability allows attackers to write arbitrary files outside the intended directory through specially crafted ZIP archives, potentially leading to remote code execution on the target system.
Affected Products
- Mintplexlabs AnythingLLM version 1.11.1 and earlier
Discovery Timeline
- 2026-03-16 - CVE CVE-2026-32719 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-32719
Vulnerability Analysis
The vulnerability resides in the community plugin import functionality of AnythingLLM. When users import plugins from community hub URLs, the application downloads a ZIP archive and extracts its contents using the AdmZip library's extractAllTo() method. The fundamental flaw is the absence of path validation for entries within the ZIP archive before extraction.
This weakness (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) allows malicious actors to craft ZIP archives containing entries with directory traversal sequences such as ../ in their filenames. When extracted, these entries can write files to arbitrary locations on the filesystem outside the designated plugin folder.
The exploitation requires network access with high-privileged user interaction, but successful exploitation grants attackers the ability to overwrite critical application files or plant malicious scripts in executable locations.
Root Cause
The root cause is the direct use of AdmZip.extractAllTo() without first iterating through archive entries and validating that resolved extraction paths remain within the intended plugin folder. The original code trusted the ZIP archive contents implicitly, assuming all entry names would resolve to safe paths within the target directory.
Attack Vector
An attacker with the ability to influence community hub content or conduct a man-in-the-middle attack could serve a malicious ZIP archive containing specially crafted entry names. When a privileged user imports this plugin, the archive entries with path traversal sequences (e.g., ../../config/malicious.js) would be extracted outside the plugin folder, potentially overwriting application configuration files or placing executable code in sensitive directories.
The attack requires:
- Network access to serve or intercept plugin downloads
- A privileged user to initiate the plugin import
- User interaction to trigger the vulnerable code path
// Note: https://github.com/cthackers/adm-zip?tab=readme-ov-file#electron-original-fs
const AdmZip = require("adm-zip");
const zip = new AdmZip(zipFilePath);
+ // Validate all zip entries to prevent Zip Slip path traversal attacks (CWE-22)
+ for (const entry of zip.getEntries()) {
+ const entryPath = path.resolve(pluginFolder, entry.entryName);
+ if (!isWithin(pluginFolder, entryPath) && pluginFolder !== entryPath) {
+ throw new Error(
+ `[ImportedPlugin.importCommunityItemFromUrl]: Entry "${entry.entryName}" would extract outside plugin folder - not allowed.`
+ );
+ }
+ }
+
zip.extractAllTo(pluginFolder);
// We want to make sure specific keys are set to the proper values for
Source: GitHub Commit Update
Detection Methods for CVE-2026-32719
Indicators of Compromise
- Unexpected files appearing outside the AnythingLLM plugin directories
- Modified application configuration files or scripts without authorized changes
- Newly created files in system directories following plugin import operations
- Log entries showing plugin imports from untrusted or unexpected sources
Detection Strategies
- Monitor filesystem activity during plugin import operations for writes outside the designated plugin folder
- Implement file integrity monitoring on critical AnythingLLM application directories
- Review web server logs for unusual community hub URL patterns or external plugin sources
- Configure application-level logging to capture all plugin import operations with source URLs
Monitoring Recommendations
- Enable detailed logging for the ImportedPlugin.importCommunityItemFromUrl() function
- Set up alerts for file creation events in parent directories of the plugin folder
- Monitor network traffic for ZIP downloads from untrusted community hub sources
- Implement SentinelOne Singularity platform monitoring to detect unauthorized file system modifications
How to Mitigate CVE-2026-32719
Immediate Actions Required
- Upgrade AnythingLLM to a version containing the security patch (commit 6a492f038da195a5c9a239d5ca2e9f2151c25f8c or later)
- Audit recently imported community plugins for suspicious file paths or unexpected content
- Review the filesystem for any files that may have been written outside plugin directories
- Temporarily disable community plugin imports if immediate patching is not possible
Patch Information
The Mintplex Labs team has addressed this vulnerability by implementing path validation before ZIP extraction. The fix iterates through all ZIP entries and uses the isWithin() function to verify that each resolved entry path remains within the designated plugin folder. If any entry would extract outside the allowed directory, the operation is aborted with an error.
The patch is available in commit 6a492f038da195a5c9a239d5ca2e9f2151c25f8c. Refer to the GitHub Security Advisory for additional details.
Workarounds
- Disable community plugin import functionality until the patch can be applied
- Restrict network access to trusted community hub sources only
- Run AnythingLLM with restricted filesystem permissions to limit potential impact
- Implement network-level controls to prevent access to untrusted plugin sources
# Configuration example - Restrict AnythingLLM filesystem permissions
# Run as a dedicated user with limited directory access
useradd -r -s /sbin/nologin anythingllm
chown -R anythingllm:anythingllm /opt/anythingllm
chmod -R 750 /opt/anythingllm
# Ensure the plugins directory has strict permissions
chmod 700 /opt/anythingllm/plugins
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
