CVE-2026-5627
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the combination of path.join and normalizePath allows attackers to bypass directory restrictions and access or delete arbitrary .json files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like package.json. The issue is resolved in version 1.12.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| mintplex-labs | mintplex-labs/anything-llm | unspecified < 1.12.1 | affected |
Weaknesses
- CWE-29: CWE-29 Path Traversal: '..\filename'
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://huntr.com/bounties/597d41c5-7ea0-4786-80f4-bd536ec66374
- https://github.com/mintplex-labs/anything-llm/commit/3444b9b0aa6764d72d53670ab4b1aaccdc6b7017
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.