AnythingLLM Qdrant API Key Exposure Vulnerability

A vulnerability in AnythingLLM versions prior to 1.10.0 allows for the Qdrant API key to be exposed in plain text to unauthenticated users. This occurs through the '/api/setup-complete' endpoint when Qdrant is used as the vector database with an API key. The exposed Qdrant API key grants full read/write access to the Qdrant vector database instance associated with AnythingLLM. Since Qdrant typically holds the core knowledge base for retrieval-augmented generation in AnythingLLM, this vulnerability can lead to a complete compromise of the semantic search and retrieval functionality, as well as an indirect leakage of confidential documents that have been uploaded.

Impact

The leakage of the Qdrant API key allows unauthorized users to access and manipulate the Qdrant vector database used by AnythingLLM. This access includes reading all embedded vectors and metadata, which could involve extracting sensitive information from uploaded documents, deleting or overwriting collections, thereby causing data loss or corruption, and enumerating documents or workspaces to gain insights into private user data. In multi-tenant setups, this could result in cross-workspace data exposure or a denial-of-service condition.

Reproduction

To reproduce this vulnerability, configure AnythingLLM to use Qdrant as the vector database and include an API key. Then, send a request to the '/api/setup-complete' endpoint. The response will include the Qdrant API key in plain text, exposing it to unauthorized users.

Remediation

Users can update to AnythingLLM version 1.10.0 or later, where this vulnerability has been patched.