CVE-2024-6842
Published: 20 March 2025
Summary
CVE-2024-6842 is a uncategorised-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 requires organizations to explicitly authorize and minimize actions performable without identification or authentication, directly preventing unauthorized access to the /setup-complete endpoint exposing sensitive API keys.
AC-3 mandates enforcement of approved access authorizations for logical access to system functions and information, blocking unauthenticated retrieval of sensitive system settings.
SC-14 enforces protections for publicly accessible system interfaces to prevent unauthorized access and disclosure of sensitive information like API keys via endpoints such as /setup-complete.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthorized remote access to sensitive system settings via a public-facing API endpoint, exposing API keys. This maps to T1190 (Exploit Public-Facing Application) for the exploitation vector and T1212 (Exploitation for Credential Access) for obtaining credential material.
NVD Description
In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers…
more
to steal these keys and cause loss of user assets.
Deeper analysisAI
CVE-2024-6842 is a vulnerability in version 1.5.5 of mintplex-labs/anything-llm, classified under CWE-306 (Missing Authentication for Critical Function). The issue lies in the `/setup-complete` API endpoint, which allows unauthorized users to access sensitive system settings via the `currentSettings` function. This exposure includes critical data such as API keys for search engines.
Any unauthorized user capable of reaching the `/setup-complete` endpoint can exploit the vulnerability to retrieve these sensitive settings. Successful exploitation enables attackers to steal API keys, potentially resulting in the loss of user assets tied to those credentials.
Mitigation details are provided in the project's GitHub commit at https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bc6849d84e4ea8, which addresses the unauthorized access. Further information, including bounty details, is available on the Huntr page at https://huntr.com/bounties/cd911fc7-ac6b-4974-acd0-9cc926fa8d9e. Security practitioners should ensure systems are updated beyond version 1.5.5.
As an open-source LLM platform, anything-llm's exposure of search engine API keys highlights risks in AI/ML deployments handling integrated third-party services. No public evidence of real-world exploitation is noted in available data.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- anything-llm is an open-source platform for deploying LLM-based AI assistants that handle document chatting and integrations with LLMs and search engines, fitting the Enterprise AI Assistants category. The vulnerability involves unauthorized API access leaking sensitive configuration like search engine API keys in this AI deployment tool.