AnythingLLM — a widely used desktop application that transforms documents and content into LLM-queryable context — ships with all HTTP API endpoints and the agent WebSocket completely unauthenticated on default installations where no password or API key has been set. The server's CORS policy accepts requests from any origin (CWE-942), meaning any page on the local network can interact with the full agent API.
The desktop application binds to 127.0.0.1 (loopback), and modern browsers implement Private Network Access (PNA) restrictions that block public websites from reaching local addresses directly. Exploitation is therefore limited to attackers already on the same local network — but in enterprise, shared-office, or development environments, LAN adjacency is routine. A companion vulnerability, CVE-2026-32717, allows suspended users in multi-user mode to continue operating via Browser Extension API keys, bypassing account suspension entirely.
Any LAN-adjacent attacker can query all indexed documents, submit arbitrary agent tasks, read chat history, and interact with any connected tool — without credentials. In team or enterprise deployments where AnythingLLM is run as a shared server rather than a personal desktop app, external exposure is likely.
Immediate action: Set a strong instance password and API key on all AnythingLLM installations immediately. Restrict network-level access to the AnythingLLM port to trusted hosts only. Verify multi-user deployments are not running ≤1.11.1 with default settings.