CVE-2024-6842

NONE EPSS 97.9%
Published Mar 20, 20251y ago · Modified Jun 17, 20262w ago
Find Similar
Published Mar 20, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

Threat Intelligence

EPSS Exploit Probability
97.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-306 Missing Authentication for Critical Function Authentication

Affected Products 1

VendorProductVersionRange
mintplexlabsanythingllm1.5.5any

References 2

  • github.com https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bc6849d84e4ea8
    Patch
  • huntr.com https://huntr.com/bounties/cd911fc7-ac6b-4974-acd0-9cc926fa8d9e
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bc6849d84e4ea8
    Patch