Cyber Resilience

CVE-2024-2913

MediumPublic PoC

Published: 07 May 2024

Published
07 May 2024
Modified
09 July 2025
KEV Added
Patch
CVSS Score v3 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0011 29.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2913 is a medium-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.

EU & UK References

Vulnerability details

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user accounts from…

more

a single invite link intended for only one user. This bypasses the intended security mechanism that restricts invite acceptance to a single user, leading to unauthorized user creation without detection in the invite tab. The issue is due to the lack of validation for concurrent requests in the backend.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
The vulnerability affects mintplex-labs/anything-llm, an open-source enterprise AI application for multi-user LLM interactions, document chatting, and AI-assisted workflows, fitting the Enterprise AI Assistants category.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.003 Cloud Account Persistence
Adversaries may create a cloud account to maintain access to victim systems.
Why these techniques?

Race condition in public-facing invite acceptance endpoint (T1190: Exploit Public-Facing Application) enables unauthorized creation of multiple cloud user accounts (T1136.003: Create Account: Cloud Account).

Affected Assets

mintplexlabs
anythingllm
≤ 1.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-367

Timestamps meeting UTC or offset standards help identify TOCTOU issues through precise chronological reconstruction of check/use operations.

References