Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.
Published: 2026-05-28
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AnythingLLM is a content‑to‑LLM context engine. A vulnerability exists in the filesystem copy tool that validates only the top‑level source and destination paths, then recursively copies child entries without re‑validating or rejecting symlinks. Because the APIs follow symlinks, a malicious symlink that resides inside an allowed source directory can point to a file outside the permitted filesystem root, enabling the application to copy arbitrary external files into an allowed destination. This flaw can lead to unintended exposure of files that were intended to be protected, affecting confidentiality of data that resides outside the user’s permitted namespace.

Affected Systems

Mintplex‑Labs AnythingLLM versions prior to 1.13.0 are vulnerable. All installations that rely on the default filesystem copy helper and have not applied the 1.13.0 fix are exposed. Updated releases starting at 1.13.0 include a fix to validate each child entry and reject symlinks.

Risk and Exploitability

The CVSS score of 2 indicates a low severity risk under normal conditions; however, the vulnerability can lead to malicious file disclosure, which may be valuable to an attacker if sensitive data resides outside the allowed directory. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited documented exploitation at this time. The likely attack vector is local, requiring access to the application’s file system or influence over the source directory structure. An attacker can create a nested symlink within an allowed source path that points to an external file, then trigger the copy operation to transfer that file into the allowed destination.

Generated by OpenCVE AI on May 28, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade AnythingLLM to version 1.13.0 or newer, which validates every child path and blocks symlink traversal.
  • Verify that the filesystem copy tool no longer follows symlinks by attempting to copy a symlinked file from outside the allowed directory and confirming it is rejected.
  • Review and restrict the permissions and contents of any directories served as source paths for the filesystem copy tool to limit exposure of critical files to unintended users.

Generated by OpenCVE AI on May 28, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs
Mintplexlabs anything-llm
Vendors & Products Mintplexlabs
Mintplexlabs anything-llm

Thu, 28 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.
Title AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Mintplexlabs Anything-llm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:06:43.485Z

Reserved: 2026-05-12T01:48:40.451Z

Link: CVE-2026-45403

cve-icon Vulnrichment

Updated: 2026-05-29T19:06:19.289Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T22:17:00.907

Modified: 2026-05-29T20:16:26.613

Link: CVE-2026-45403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T23:15:17Z

Weaknesses