CVE-2026-24478 - Vulnerability Details

- AnythingLLM vulnerable to Path Traversal

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue.

Published: 2026-01-26

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

AnythingLLM contains a path traversal flaw in its DrupalWiki integration that enables an authenticated administrator, or any actor who can persuade an administrator to configure a malicious DrupalWiki URL, to write arbitrary files to the server. By overwriting configuration files or adding executable scripts, an attacker can gain remote code execution capabilities. The weakness aligns with the standard CWE-22 category of path traversal vulnerabilities.

Affected Systems

The issue affects all instances of Mintplex‑Labs AnythingLLM running versions prior to 1.10.0. Only the product "AnythingLLM" from the vendor Mintplex‑Labs is impacted, and the vulnerability is limited to the DrupalWiki plug‑in component used by those releases.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1% suggests a very low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog, meaning there is no confirmed exploitation in the wild. Exploitation requires administrative privileges or the ability to manipulate an administrator’s configuration settings. If achieved, the attack can lead to full system compromise. Due to the limited exploitation window and requirement for privileged access, the overall risk remains high but opportunistic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mintplex-Labs

anything-llm

affected

Version	Status	Constraints
`< 1.10.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Mintplexlabs	Anything-llm	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AnythingLLM to version 1.10.0 or later to eliminate the path traversal flaw.
If an upgrade is not immediately possible, disable or remove the DrupalWiki integration and enforce strict input validation or allowlist for external URLs.
Restrict configuration changes to trusted administrators and monitor for unauthorized changes to external service settings.

Generated by OpenCVE AI on April 18, 2026 at 02:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00228.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv

History

Wed, 28 Jan 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mintplexlabs anythingllm
CPEs		cpe:2.3:a:mintplexlabs:anythingllm::::::::
Vendors & Products		Mintplexlabs anythingllm

Tue, 27 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 27 Jan 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mintplexlabs Mintplexlabs anything-llm
Vendors & Products		Mintplexlabs Mintplexlabs anything-llm

Mon, 26 Jan 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue.
Title		AnythingLLM vulnerable to Path Traversal
Weaknesses		CWE-22
References		https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Mintplexlabs Anything-llm Anythingllm

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-26T23:23:54.923Z

Updated: 2026-01-27T21:29:55.195Z

Reserved: 2026-01-23T00:38:20.547Z

Link: CVE-2026-24478

Vulnrichment

Updated: 2026-01-27T21:29:51.675Z

NVD

Status : Analyzed

Published: 2026-01-27T00:15:51.297

Modified: 2026-01-28T15:52:39.977

Link: CVE-2026-24478

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object