PatchSiren cyber security CVE debrief
CVE-2026-48116 Mintplex-Labs CVE debrief
CVE-2026-48116 is a high-severity command injection vulnerability in AnythingLLM, an application that converts content into contextual references for LLM chat interactions. The vulnerability exists in versions prior to 1.13.0 and stems from improper handling of user-controlled input passed to the ripgrep utility. The filesystem-search-files agent skill passes an LLM-controlled pattern parameter directly to ripgrep as a positional argument without using the -- end-of-options separator. Because ripgrep interprets arguments starting with - as options, an attacker can inject command execution by supplying a pattern such as --pre=/bin/sh, which causes ripgrep to execute /bin/sh for every file it processes. This vulnerability is exploitable by any attacker who can chat with an agent on deployments where the filesystem plugin is enabled, which is the default configuration in the official Docker image. The attacker can chain this with the filesystem-write-text-file skill to achieve arbitrary command execution within the AnythingLLM server container. The vulnerability was fixed in version 1.13.0. The CVSS 3.1 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impacts to confidentiality, integrity, and availability.
- Vendor
- Mintplex-Labs
- Product
- anything-llm
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-30
Who should care
Organizations running AnythingLLM deployments with agent chat functionality enabled, particularly those using the official Docker image with default filesystem plugin configuration. Security teams responsible for LLM application security and containerized AI workloads. Developers building agent-based systems that invoke external command-line tools with user-controlled input.
Technical summary
The vulnerability occurs in the filesystem-search-files agent skill where user-controlled pattern input is passed directly to ripgrep without proper argument separation. The absence of -- end-of-options separator allows option injection. Specifically, patterns beginning with - are interpreted as ripgrep options rather than search patterns. The --pre flag can be injected to specify an arbitrary command that ripgrep will execute for each file processed. In the default Docker configuration with filesystem plugin enabled, this enables unauthenticated attackers with chat access to achieve remote code execution. The fix in version 1.13.0 likely adds proper argument handling or input validation to prevent option injection.
Defensive priority
high
Recommended defensive actions
- Upgrade to AnythingLLM version 1.13.0 or later to remediate this vulnerability
- If immediate patching is not possible, disable the filesystem plugin or restrict agent chat access to trusted users only
- Review container security configurations to limit potential blast radius from command execution
- Monitor for suspicious process execution patterns involving ripgrep with unexpected --pre arguments
- Audit agent conversation logs for attempts to inject patterns starting with - characters
- resourceLinkAnnotations: ref-5, ref-4, cve-org, nvd
Evidence notes
Vulnerability description confirms ripgrep argument injection via unescaped pattern parameter. Fix version 1.13.0 explicitly stated. CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H from NVD source. CWE-77 and CWE-88 identified in source metadata. Official GitHub security advisory and commit reference provided.
Official resources
2026-05-28