AnythingLLM, a widely deployed open-source LLM application with over 56,000 GitHub stars, shipped a high-severity SQL injection vulnerability in its built-in SQL Agent plugin. The flaw, present in versions 1.11.1 and earlier, allows any authenticated user to execute arbitrary SQL commands against connected databases.
The vulnerability exists in the getTableSchemaSql() method, which constructs SQL queries by directly concatenating an unsanitized table_name parameter — a textbook injection vector affecting MySQL, PostgreSQL, and MSSQL connectors.
Because the SQL Agent operates with application-level database access, a successful exploit grants the attacker the full privileges of the agent's DB credentials — schema enumeration, data exfiltration, and potentially destructive writes across all connected databases.
Immediate recommendation: Audit all AnythingLLM deployments running ≤ 1.11.1. Restrict database connector permissions to the minimum required (read-only where possible) and monitor for anomalous query patterns until a patched version is available.