Description

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

INFO

Published Date :

2025-03-20T10:10:27.588Z

Last Modified :

2025-10-15T12:49:47.299Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-6842 vulnerability.

Vendors Products
Mintplexlabs
  • Anythingllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-6842.

URL Resource
https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bc6849d84e4ea8 cve-icon cve-icon
https://huntr.com/bounties/cd911fc7-ac6b-4974-acd0-9cc926fa8d9e cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact