CVE-2026-32890 Overview
CVE-2026-32890 is a stored Cross-Site Scripting (XSS) vulnerability affecting Anchorr, a Discord bot designed for requesting movies and TV shows and receiving notifications when items are added to a media server. The vulnerability exists in the web dashboard's User Mapping dropdown component, allowing unprivileged Discord users within a configured guild to inject and execute arbitrary JavaScript in the Anchorr administrator's browser.
Critical Impact
This XSS vulnerability can be chained with the unauthenticated GET /api/config endpoint to exfiltrate all stored credentials including DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without requiring any authentication to Anchorr itself.
Affected Products
- Anchorr versions 1.4.1 and below
- Anchorr web dashboard component
- Discord guilds using affected Anchorr instances
Discovery Timeline
- 2026-03-20 - CVE-2026-32890 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-32890
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) represents a significant security risk for Anchorr deployments. The attack chain is particularly dangerous because it combines two weaknesses: the stored XSS injection point in the User Mapping dropdown and an insecure API endpoint that exposes sensitive configuration data.
Any unprivileged Discord user within the configured guild can inject malicious JavaScript payloads through the User Mapping feature. When an Anchorr administrator subsequently accesses the web dashboard and views the User Mapping dropdown, the malicious script executes in their browser context with full access to the application's session and APIs.
The critical escalation path involves the GET /api/config endpoint, which returns all application secrets in plaintext without authentication. By exploiting this endpoint from within the XSS payload, an attacker can silently exfiltrate the complete set of credentials stored by Anchorr.
Root Cause
The vulnerability stems from insufficient input sanitization in the User Mapping dropdown component. User-supplied data from Discord users is stored and later rendered in the admin dashboard without proper output encoding or Content Security Policy enforcement. This allows HTML and JavaScript injection that persists across sessions.
Additionally, the /api/config endpoint lacks proper access control mechanisms, exposing sensitive secrets to any authenticated or unauthenticated request made from the administrator's browser context.
Attack Vector
The attack follows a multi-stage exploitation pattern:
- An unprivileged Discord user in the configured guild submits a malicious payload containing JavaScript through the User Mapping feature
- The payload is stored server-side without proper sanitization
- When an Anchorr administrator accesses the web dashboard and interacts with the User Mapping dropdown, the stored XSS payload executes
- The malicious JavaScript calls the GET /api/config endpoint from the admin's browser
- All sensitive credentials including API keys, tokens, and password hashes are exfiltrated to an attacker-controlled server
The attack requires no authentication to Anchorr itself—only membership in the Discord guild configured with the Anchorr instance.
Detection Methods for CVE-2026-32890
Indicators of Compromise
- Unexpected JavaScript code or HTML tags in User Mapping database entries
- Unusual outbound network requests from the Anchorr web dashboard to external domains
- Access logs showing requests to /api/config from unexpected sources or with unusual timing patterns
- Discord bot token invalidation or unauthorized bot activity
Detection Strategies
- Monitor Anchorr application logs for suspicious User Mapping entries containing script tags, event handlers, or encoded JavaScript
- Implement network monitoring to detect exfiltration attempts from the web dashboard to unknown external endpoints
- Review Discord bot activity logs for unauthorized actions that might indicate token compromise
- Audit access logs for the /api/config endpoint to identify unusual request patterns
Monitoring Recommendations
- Enable verbose logging for the Anchorr web dashboard component
- Configure Content Security Policy violation reporting to detect XSS attempts
- Set up alerts for any credential rotation or unauthorized API key usage on connected services (Jellyfin, Jellyseerr)
- Implement rate limiting and monitoring on sensitive API endpoints
How to Mitigate CVE-2026-32890
Immediate Actions Required
- Upgrade Anchorr to version 1.4.2 or later immediately
- Rotate all credentials stored in Anchorr including DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, and WEBHOOK_SECRET
- Review User Mapping entries for any suspicious or malicious content
- Audit connected service logs for unauthorized access since deployment of affected versions
Patch Information
The vulnerability has been addressed in Anchorr version 1.4.2. The fix is available through the GitHub Release v1.4.2. Additional details about the fix can be found in the GitHub Security Advisory GHSA-qpmq-6wjc-w28q and the associated commit.
Workarounds
- Restrict Discord guild membership to trusted users only until the patch can be applied
- Disable or restrict access to the Anchorr web dashboard temporarily
- Implement network-level controls to prevent the web dashboard from making outbound requests to untrusted domains
- Consider placing the Anchorr web dashboard behind additional authentication mechanisms
# Example: Update Anchorr to patched version
cd /path/to/anchorr
git fetch --tags
git checkout v1.4.2
npm install
npm run build
# Restart the Anchorr service
systemctl restart anchorr
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
