HarborGuard / CVE
Back to search
HIGHCVE-2026-48116Published Modified CNA GitHub_M

CVE-2026-48116: AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an argument injection vulnerability in AnythingLLM that leads to remote code execution. An attacker who can send chat messages to an agent instance reaches the flaw over the network using any low-privilege account; no special privileges are required beyond basic chat access. By crafting a malicious ripgrep pattern, the attacker causes the server to execute arbitrary shell commands inside the AnythingLLM container. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-48116 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images derived from the official AnythingLLM Docker image. Any image carrying an affected version of anything-llm (below 1.13.0) is flagged automatically.

Available
Triage

Triage is available with the recorded CVSS v3.1 score of 7.5 (HIGH) applied to each matched image, weighted further by each customer organization's compliance policy to surface urgency and route findings to the appropriate team inbox. Per-environment context, such as whether the filesystem plugin is active in a given image, can be incorporated through custom policy rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Mintplex-Labs ships a confirmed fix. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version is ingested.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the AnythingLLM chat endpoint over the network; the service must be accessible from the attacker's location.

  • AuthenticationRequired

    A low-privilege account with chat access is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    No victim action is needed; the attacker drives the exploit entirely through their own chat input.

  • Attack complexityDetail

    Exploitation involves chaining two agent skills (filesystem-write-text-file and filesystem-search-files) and depends on the filesystem plugin being enabled, which is the default in the official Docker image but introduces environmental preconditions.

Blast Radius

  • The attacker executes arbitrary shell commands inside the AnythingLLM server container, giving full control over running processes.
  • All data readable by the container process, including LLM context, stored documents, API keys, and environment variables, is exposed to the attacker.
  • The attacker can write, overwrite, or delete any files accessible to the container, corrupting stored knowledge bases and configuration.
  • The container runtime itself can be crashed or used as a pivot point for further movement within the host network.

How HarborGuard Handles This

Available on HarborGuard: images running any version of anything-llm below 1.13.0 are matched against this CVE and flagged as soon as the advisory is ingested. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle; a patched-image rebuild will become available automatically the moment Mintplex-Labs releases a confirmed fix version. For customers who opt into auto-remediation, that rebuild triggers a regression run and opens a PR against affected workloads without manual intervention. While awaiting a fix, compensating controls worth considering include network-policy isolation to restrict which clients can reach the AnythingLLM service, disabling the filesystem plugin via environment configuration if the feature is not required, and egress filtering on the container to limit what a successful command injection can reach downstream.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Mintplex-Labs / anything-llm
    < 1.13.0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References