CVE-2026-32626: Critical XSS-to-RCE vulnerability in AnythingLLM Desktop gives attackers full system control

A critical security vulnerability has been publicly disclosed in AnythingLLM Desktop, the popular open-source local AI knowledge base application. Tracked as CVE-2026-32626 and carrying a CVSS v3.1 score of 9.6 (Critical), this flaw chains a Streaming Phase Cross-Site Scripting (XSS) exploit with Electron's insecure default configuration to achieve full Remote Code Execution (RCE) on the host operating system.

Vulnerability Overview

The vulnerability resides in AnythingLLM Desktop versions 1.11.1 and earlier. It is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). What makes this flaw particularly dangerous is that it works with default settings and requires no user interaction beyond normal chat usage — simply receiving a malicious AI response is enough to trigger the exploit chain.

Technical Analysis

The attack chain exploits two compounding weaknesses in AnythingLLM's architecture:

1. Unsanitized Markdown Rendering

The core issue lies in the custom markdown-it image renderer located in frontend/src/utils/chat/markdown.js. This renderer interpolates token.content directly into the image alt attribute without HTML entity escaping. By crafting a malicious markdown image tag with JavaScript payloads embedded in the alt text, an attacker can inject arbitrary scripts into the rendered DOM.

2. Inconsistent Sanitization

The PromptReply component — which handles real-time streaming responses — renders the processed markdown output using React's dangerouslySetInnerHTML without DOMPurify sanitization. This stands in contrast to the HistoricalMessage component, which correctly applies DOMPurify before rendering. This inconsistency means that while historical (cached) messages are safe, live streamed responses are fully vulnerable to XSS injection.

3. Electron Privilege Escalation

Because AnythingLLM Desktop runs inside an Electron shell with Node.js integration enabled, the injected JavaScript executes with full access to Node.js APIs. This means an attacker can:

• Execute arbitrary commands on the host OS via require('child_process').exec()
• Read and write files anywhere on the filesystem
• Exfiltrate sensitive data including API keys, credentials, and documents in the knowledge base
• Install persistent backdoors or download additional payloads

"This is a textbook example of why dangerouslySetInnerHTML in Electron applications is so dangerous. The streaming pathway bypasses all sanitization, and Electron's Node integration turns a browser-level XSS into a full system compromise." — QuantNest Radar Threat Research

CVSS 3.1 Vector Breakdown

• Attack Vector: Network — exploitable via poisoned AI model responses or prompt injection
• Attack Complexity: Low — no special conditions required
• Privileges Required: None — no authentication needed
• User Interaction: Required — victim must engage in a chat session (normal usage)
• Scope: Changed — the exploit escapes the browser sandbox to the host OS
• Confidentiality: High — full data access
• Integrity: High — arbitrary file modification
• Availability: High — complete system compromise possible

Attack Scenarios

The most concerning attack vectors include:

1. Poisoned RAG documents: An attacker plants malicious markdown content in documents that get ingested into the knowledge base. When a user asks a question that retrieves this content, the XSS payload fires during the streaming response.
2. Prompt injection via external sources: If AnythingLLM is connected to external data sources (web scraping, APIs), an attacker can inject payloads that get echoed back through the chat interface.
3. Malicious model responses: A compromised or adversarial model fine-tuned to occasionally inject exploit payloads into otherwise normal-looking responses.

Affected Versions

• AnythingLLM Desktop versions 1.11.1 and earlier
• All operating systems (Windows, macOS, Linux) running vulnerable versions

Remediation

Organizations and individual users should take immediate action:

1. Update immediately: Upgrade AnythingLLM Desktop to the latest version beyond 1.11.1 that patches the markdown rendering and adds DOMPurify sanitization to the streaming pipeline.
2. Audit knowledge bases: Review ingested documents for any suspicious markdown image tags containing encoded scripts or unusual alt text patterns.
3. Network isolation: Until patched, run AnythingLLM in a sandboxed environment or virtual machine to limit the blast radius of potential exploitation.
4. Monitor for indicators: Watch for unexpected child process spawning from the AnythingLLM Electron process, unusual network connections, or file system modifications.

QuantNest will update this advisory as official patches and additional technical details become available.