CVE-2026-48116: AnythingLLM Command Injection via Ripgrep Abuse
AnythingLLM versions before 1.13.0 contain a command injection vulnerability in their filesystem search capability. When an authenticated user chats with the filesystem agent, an attacker can craft malicious search patterns that trick the underlying ripgrep tool into executing arbitrary commands on the server. The vulnerability exists because the application doesn't properly isolate user input before passing it to ripgrep, allowing an attacker to inject command-line flags that transform ripgrep into a command executor. Combined with AnythingLLM's file-writing capability, this creates a complete remote code execution path within the container.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-77, CWE-88
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The filesystem-search-files agent skill in AnythingLLM constructs ripgrep commands by inserting an LLM-controlled pattern parameter as a positional argument without using the -- end-of-options separator. ripgrep interprets arguments beginning with a hyphen as option flags rather than literal search patterns. An attacker can supply a pattern such as --pre=/bin/sh, which ripgrep then interprets as a preprocessor directive. This causes ripgrep to execute /bin/sh <file> for each file it encounters, effectively converting the search operation into arbitrary shell command execution. The vulnerability is particularly severe because the LLM intermediary may not recognize or block such injection patterns, and the attacker need only have chat access to a deployment with the filesystem plugin enabled—which is the default configuration in the official Docker image.
Business impact
Organizations running AnythingLLM in production with the filesystem plugin enabled face critical operational risk. An authenticated attacker can execute arbitrary commands within the AnythingLLM container, potentially leading to data exfiltration, lateral movement to other systems, deployment of malware or backdoors, or service disruption. The attack surface is broader than typical backend vulnerabilities because it can be triggered through the chat interface—any user or compromised account with chat access becomes a potential attack vector. In multi-tenant or shared deployments, this becomes a privilege escalation and isolation bypass. The combination with the file-writing skill means attackers can persist malicious code, create reverse shells, or modify application files.
Affected systems
AnythingLLM versions prior to 1.13.0 are affected. The official Docker image ships with the filesystem plugin enabled by default, making containerized deployments particularly vulnerable. Any installation that has enabled the filesystem-search-files and filesystem-write-text-file agent skills is at risk. Organizations should audit their deployments to identify which versions are currently running and whether the filesystem plugin is active.
Exploitability
The vulnerability requires authentication (PR:L in CVSS terms) and non-trivial understanding of ripgrep syntax and AnythingLLM's architecture, reflected in the AC:H (High Complexity) rating. However, once an attacker understands the injection mechanism, exploitation is straightforward and can be delivered through normal chat interaction without additional tools or user interaction. The barrier to exploitation is moderate—security research or documentation discovery of the ripgrep --pre flag behavior enables reliable attacks. LLM-mediated exploitation is possible if the model can be prompted or jailbroken to generate malicious search patterns, though this is less direct than manual exploitation.
Remediation
Upgrade AnythingLLM to version 1.13.0 or later, which implements proper input sanitization and uses the -- separator to prevent ripgrep from interpreting user-supplied patterns as option flags. Organizations unable to upgrade immediately should disable the filesystem plugin if not required for operations, or restrict chat access to trusted users only. Review access logs and chat histories for suspicious search patterns (those beginning with --, --pre, --filter, or similar ripgrep options) to identify potential exploitation attempts.
Patch guidance
Apply the official update to AnythingLLM 1.13.0 or newer. Verify the patch is applied by checking the application version in settings or logs. Test filesystem search functionality post-patch to ensure the fix does not break legitimate search operations. For Docker deployments, rebuild container images with the patched version and redeploy. Consider implementing a phased rollout to verify stability in non-production environments first.
Detection guidance
Monitor AnythingLLM logs and audit trails for chat messages containing ripgrep option-like patterns in filesystem search queries, particularly those beginning with --, --pre, --filter, --type, or other known ripgrep flags. Network detection is limited to behavioral indicators: unusual outbound connections or command execution initiated from the AnythingLLM container. Endpoint-level monitoring of the container runtime can detect unexpected child processes spawned by ripgrep or the AnythingLLM process. Alert on file modifications within the AnythingLLM container directory, especially creation of scripts or executables in temporary locations.
Why prioritize this
This vulnerability merits immediate attention despite authentication requirements because: (1) it enables complete remote code execution within production containers; (2) the default Docker configuration is vulnerable, affecting the most common deployment model; (3) the attack vector is accessible to any authenticated user, including those with limited intended privileges; (4) it chains with a sibling file-writing capability to create persistent compromise; (5) the fix is available and straightforward to deploy. Organizations should prioritize patching within their standard critical vulnerability timelines.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects the severity of remote code execution (High impact on confidentiality, integrity, and availability), balanced against the authentication requirement and moderate attack complexity. The score appropriately captures the risk in typical deployments but may underweight scenarios where chat access is broadly granted or where the service is internet-facing with weak authentication.
Frequently asked questions
Do we need to disable the filesystem plugin entirely, or is upgrading sufficient?
Upgrading to 1.13.0 or later is sufficient if properly applied. The patch addresses the root cause (improper input handling) rather than removing the feature. However, if your organization does not use the filesystem search capability, disabling the plugin provides defense-in-depth while you plan your upgrade timeline.
Can this be exploited without authentication, or does someone need a valid chat session?
Authentication is required. An attacker must have a valid user account or compromised credentials to access the chat interface. The vulnerability cannot be exploited over the network without first establishing authenticated access. This limits the attack surface but does not eliminate risk in organizations with liberal user provisioning or shared demo deployments.
What does the --pre flag do in ripgrep, and why does it enable command execution?
ripgrep's --pre flag allows users to specify a preprocessor script to run on files before searching them. This is a legitimate ripgrep feature for handling compressed or encoded files. In this case, an attacker abuses it by supplying --pre=/bin/sh, which causes ripgrep to execute /bin/sh as a preprocessor, effectively giving them shell access to files on the system.
How would an LLM-based chat interface allow an attacker to inject this pattern?
If the LLM model is prompted (either through manual user input or jailbreaking) to generate a filesystem search query containing ripgrep flags, and the application does not validate or sanitize the output before passing it to ripgrep, the injection succeeds. This highlights the importance of treating LLM outputs as untrusted input, even in internal tools.
This analysis is based on the official CVE description and CVSS scoring. Organizations should verify patch availability and compatibility with their specific AnythingLLM deployment before applying updates. Testing patches in non-production environments is strongly recommended. SEC.co does not provide warranties regarding the completeness or accuracy of detection signatures or the absence of false positives in your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-52011HIGHCommand Injection in launch-editor via Malicious Filenames on Windows
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability
- CVE-2026-10273HIGHRemote Code Execution in php-censor Webhook Handler
- CVE-2026-10870HIGHShibby Tomato 1.28.0000 OS Command Injection Vulnerability
- CVE-2026-10871HIGHShibby Tomato Remote Command Injection via IPv6 6rd Parameter
- CVE-2026-10872HIGHOS Command Injection in Shibby Tomato 1.28.0000 Web UI
- CVE-2026-10873HIGHOS Command Injection in Shibby Tomato 1.28.0000 Web UI