Cyber Resilience

CVE-2024-6842

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v3 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7479 98.9th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6842 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-6842 is a missing authentication vulnerability in version 1.5.5 of mintplex-labs/anything-llm. The /setup-complete API endpoint invokes the currentSettings function and returns sensitive configuration data, including search engine API keys, without any access control checks. The issue is tracked as CWE-306 and carries a CVSS 7.5 rating reflecting network-accessible confidentiality exposure.

An unauthenticated attacker can send a request to the affected endpoint and retrieve the exposed keys, enabling theft of credentials that may lead to loss of user assets. No privileges or user interaction are required for successful exploitation.

The referenced commit 8b1ceb30c159cf3a10efa16275bc6849d84e4ea8 on the mintplex-labs/anything-llm repository implements a fix, with additional context available in the associated huntr bounty report.

The EPSS score peaked at 0.7732 on 2026-03-10 and remains elevated at 0.7479, indicating ongoing exploitation interest after disclosure.

EU & UK References

Vulnerability details

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers…

more

to steal these keys and cause loss of user assets.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

The vulnerability enables unauthorized remote access to sensitive system settings via a public-facing API endpoint, exposing API keys. This maps to T1190 (Exploit Public-Facing Application) for the exploitation vector and T1212 (Exploitation for Credential Access) for obtaining credential material.

CVEs Like This One

CVE-2024-13059Same product: Mintplexlabs Anythingllm
CVE-2026-32628Same product: Mintplexlabs Anythingllm
CVE-2026-24477Same product: Mintplexlabs Anythingllm
CVE-2026-24478Same product: Mintplexlabs Anythingllm
CVE-2026-48116Same product: Mintplexlabs Anythingllm
CVE-2026-32617Same product: Mintplexlabs Anythingllm
CVE-2026-5627Same product: Mintplexlabs Anythingllm
CVE-2026-32626Same product: Mintplexlabs Anythingllm
CVE-2025-40765Shared CWE-306
CVE-2024-50630Shared CWE-306

Affected Assets

mintplexlabs
anythingllm
1.5.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 requires organizations to explicitly authorize and minimize actions performable without identification or authentication, directly preventing unauthorized access to the /setup-complete endpoint exposing sensitive API keys.

prevent

AC-3 mandates enforcement of approved access authorizations for logical access to system functions and information, blocking unauthenticated retrieval of sensitive system settings.

prevent

SC-14 enforces protections for publicly accessible system interfaces to prevent unauthorized access and disclosure of sensitive information like API keys via endpoints such as /setup-complete.

References