Anchorr XSS (CVE-2026-32890)

Patch now - CVE-2026-32890 is a critical stored XSS in Anchorr Discord bot versions 1.4.1 and below that lets any Discord user inject JavaScript to steal every credential, including Discord tokens and API keys, via an unauthenticated config endpoint. Upgrade to version 1.4.2 immediately.

Overview

A critical security vulnerability, tracked as CVE-2026-32890, has been discovered in the Anchorr Discord bot. Anchorr is used to request media and receive notifications from services like Jellyfin and Jellyseerr. The flaw allows attackers to steal every credential stored by the application.

Vulnerability Details

In versions 1.4.1 and below, the bot’s web dashboard contains a Stored Cross-Site Scripting (XSS) vulnerability. Specifically, the “User Mapping” dropdown feature does not properly sanitize user input. This allows any Discord user in the server (guild) where Anchorr is installed to inject malicious JavaScript code.

When an administrator views the dashboard, this code automatically executes in their browser. Attackers can chain this exploit with another insecure feature-an unauthenticated API endpoint (GET /api/config) that returns the bot’s entire configuration file in plaintext. By directing the admin’s browser to call this endpoint and send the data to an attacker-controlled server, all secrets can be stolen without any login to Anchorr itself.

Impact and Risks

The impact of this vulnerability is severe. Successful exploitation leads to a complete compromise of all credentials stored within Anchorr, including:

• DISCORD_TOKEN (could allow takeover of the bot account)
• JELLYFIN_API_KEY
• JELLYSEERR_API_KEY
• JWT_SECRET
• WEBHOOK_SECRET
• Bcrypt-hashed passwords

With these credentials, an attacker could gain unauthorized access to linked media servers, impersonate the bot, and potentially access other integrated systems. This type of credential leak is a common precursor to larger security incidents, as detailed in our breach reports.

Remediation and Mitigation

The only complete remediation is to immediately upgrade Anchorr to version 1.4.2 or later, which contains the fix. There is no effective workaround.

Action Steps:

1. Update: Stop the bot and upgrade to version 1.4.2 without delay.
2. Credential Rotation: As a precautionary measure, rotate all secrets exposed by the /api/config endpoint. This includes generating new Discord tokens, API keys, and JWT secrets, and changing any associated passwords.
3. Monitor: Review logs for any suspicious activity prior to the update. Stay informed on similar vulnerabilities through our security news channel.

This vulnerability underscores the critical importance of input sanitization in web interfaces and securing API endpoints that handle sensitive configuration data.