Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
Published: 2026-01-03
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: Username Enumeration via Password Recovery
Action: Apply Patch
AI Analysis

Impact

AnythingLLM exposes an enumeration flaw in its password recovery endpoint: error messages vary depending on whether the supplied username exists, allowing an attacker to discover valid accounts. The vulnerability is an information disclosure that can facilitate targeted phishing or credential stuffing attempts. It is classified under CWE-203 and CWE-204, indicating exposure through error handling and logging.

Affected Systems

Mintplex-Labs AnythingLLM versions prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 are affected. The affected CPE is cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*.*

Risk and Exploitability

The CVSS score is 5.3, giving it a medium severity. EPSS is less than 1%, indicating a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending unauthenticated password recovery requests to the web endpoint and observing the differing responses, which provides knowledge of account existence without any further privileges.

Generated by OpenCVE AI on April 18, 2026 at 08:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AnythingLLM to the patched version that includes commit e287fab56089cf8fcea9ba579a3ecdeca0daa313.
  • If a patch cannot be applied immediately, temporarily disable or restrict the password recovery endpoint and enforce uniform error messages for all usernames.
  • Implement rate limiting or CAPTCHA on the password recovery form and monitor logs for abnormal enumeration activity.

Generated by OpenCVE AI on April 18, 2026 at 08:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs anythingllm
CPEs cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
Vendors & Products Mintplexlabs anythingllm

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs
Mintplexlabs anything-llm
Vendors & Products Mintplexlabs
Mintplexlabs anything-llm

Sat, 03 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
Title AnythingLLM Vulnerable to Username Enumeration w/ Password Recovery
Weaknesses CWE-203
CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mintplexlabs Anything-llm Anythingllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-05T20:36:58.168Z

Reserved: 2025-12-29T14:34:16.005Z

Link: CVE-2026-21484

cve-icon Vulnrichment

Updated: 2026-01-05T20:32:29.681Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-03T02:15:41.553

Modified: 2026-02-23T17:54:38.833

Link: CVE-2026-21484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses