Cyber Resilience

CVE-2026-21484

MediumPublic PoC

Published: 03 January 2026

Published
03 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0038 60.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21484 is a medium-severity Observable Discrepancy (CWE-203) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 39.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

EU & UK References

Vulnerability details

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling…

more

username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: anythingllm, llm

Related Threats

Affected Assets

mintplexlabs
anythingllm
≤ 1.10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-203 CWE-204

Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.

addresses: CWE-203 CWE-204

Prevents attackers from using observable differences in error responses to infer internal system details or state.

addresses: CWE-203

Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.

References