CVE-2026-24477
Published: 27 January 2026
Summary
CVE-2026-24477 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-15 (Information Output Filtering).
Deeper analysis
AnythingLLM versions prior to 1.10.0 expose the QdrantApiKey in plaintext through the unauthenticated /api/setup-complete endpoint when the application is configured to use Qdrant as its vector database. The affected component is the setup status endpoint in this open-source LLM orchestration tool that manages retrieval-augmented generation workflows. The flaw is tracked as CWE-201 and carries a CVSS 4.0 score of 8.7.
An unauthenticated remote attacker can retrieve the API key and obtain full read/write access to the Qdrant instance. Because Qdrant stores the core knowledge base for semantic search, the attacker can extract or alter embedded documents, thereby compromising the retrieval functionality and indirectly disclosing any confidential content that users have uploaded into AnythingLLM.
The referenced GitHub Security Advisory GHSA-gm94-qc2p-xcwf states that the issue is resolved in version 1.10.0, which prevents the key from being returned by the endpoint.
The EPSS score rose from a low baseline to a peak of 0.1400 (current value 0.1041), indicating increased exploitation interest after disclosure. The vulnerability is directly relevant to AI/ML deployments that rely on AnythingLLM for RAG over private corpora.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4732
Vulnerability details
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this…
more
QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: anythingllm, llm, qdrant
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE directly enables unauthenticated exploitation of a public-facing web endpoint to obtain database API credentials (T1190), which are stored and exposed insecurely (T1552), granting full access to the vector DB for data access/manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of software flaws like the plain-text exposure of the Qdrant API key in AnythingLLM's unauthenticated /api/setup-complete endpoint, as patched in version 1.10.0.
Mandates identification of unauthenticated system endpoints like /api/setup-complete and implementation of protections to prevent disclosure of sensitive information such as the Qdrant API key.
Requires filtering of sensitive information, such as API keys, from outputs sent to unauthenticated users via API responses.