CVE-2024-6842
Published: 20 March 2025
Summary
CVE-2024-6842 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-6842 is a missing authentication vulnerability in version 1.5.5 of mintplex-labs/anything-llm. The /setup-complete API endpoint invokes the currentSettings function and returns sensitive configuration data, including search engine API keys, without any access control checks. The issue is tracked as CWE-306 and carries a CVSS 7.5 rating reflecting network-accessible confidentiality exposure.
An unauthenticated attacker can send a request to the affected endpoint and retrieve the exposed keys, enabling theft of credentials that may lead to loss of user assets. No privileges or user interaction are required for successful exploitation.
The referenced commit 8b1ceb30c159cf3a10efa16275bc6849d84e4ea8 on the mintplex-labs/anything-llm repository implements a fix, with additional context available in the associated huntr bounty report.
The EPSS score peaked at 0.7732 on 2026-03-10 and remains elevated at 0.7479, indicating ongoing exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6962
Vulnerability details
In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers…
more
to steal these keys and cause loss of user assets.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthorized remote access to sensitive system settings via a public-facing API endpoint, exposing API keys. This maps to T1190 (Exploit Public-Facing Application) for the exploitation vector and T1212 (Exploitation for Credential Access) for obtaining credential material.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 requires organizations to explicitly authorize and minimize actions performable without identification or authentication, directly preventing unauthorized access to the /setup-complete endpoint exposing sensitive API keys.
AC-3 mandates enforcement of approved access authorizations for logical access to system functions and information, blocking unauthenticated retrieval of sensitive system settings.
SC-14 enforces protections for publicly accessible system interfaces to prevent unauthorized access and disclosure of sensitive information like API keys via endpoints such as /setup-complete.