Primary

Context

Mintplex Anything-LLM Unauthorized Access to Sensitive Settings Vulnerability

Vulnerability

A vulnerability in Mintplex Labs' Anything-LLM version 1.5.5 allows unauthorized users to access sensitive system settings through the '/setup-complete' API endpoint. The 'currentSettings' function reveals critical information, including API keys for search engines, which attackers could exploit to steal these keys and potentially compromise user assets.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive API keys, allowing attackers to misuse these keys and cause a loss of user assets.

Reproduction

To reproduce this vulnerability, send a request to the '/setup-complete' API endpoint without authentication. The response will include sensitive system settings, such as API keys for search engines.

Remediation

Users are advised to update to version 1.8.1 or later, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.7

remediation

0.0

relevance

0.0

threat

6.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.7

remediation

0.0

relevance

0.0

threat

6.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mintplex Anything-LLM Unauthorized Access to Sensitive Settings Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

mintplex-labs/anything-llm

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating