CVE-2026-24477
Published: 27 January 2026
Summary
CVE-2026-24477 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws like the plain-text exposure of the Qdrant API key in AnythingLLM's unauthenticated /api/setup-complete endpoint, as patched in version 1.10.0.
Mandates identification of unauthenticated system endpoints like /api/setup-complete and implementation of protections to prevent disclosure of sensitive information such as the Qdrant API key.
Requires filtering of sensitive information, such as API keys, from outputs sent to unauthenticated users via API responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE directly enables unauthenticated exploitation of a public-facing web endpoint to obtain database API credentials (T1190), which are stored and exposed insecurely (T1552), granting full access to the vector DB for data access/manipulation.
NVD Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this…
more
QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.
Deeper analysisAI
CVE-2026-24477 is a vulnerability in AnythingLLM, an application that converts content into context for large language models (LLMs) during interactions. In versions prior to 1.10.0, when configured to use Qdrant as the vector database with an API key, the QdrantApiKey is exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. This issue, classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity.
An unauthenticated attacker can exploit this by directly accessing the `/api/setup-complete` endpoint to retrieve the QdrantApiKey. With the key, the attacker gains full read/write access to the associated Qdrant vector database instance, which typically stores AnythingLLM's core knowledge base for retrieval-augmented generation (RAG). This enables manipulation or extraction of semantic search and retrieval data, potentially leading to indirect leakage of confidential documents uploaded to the system.
The GitHub security advisory (GHSA-gm94-qc2p-xcwf) confirms that AnythingLLM version 1.10.0 addresses the vulnerability by patching the exposure of the API key. Security practitioners should upgrade to version 1.10.0 or later and review configurations using Qdrant to ensure API keys are not exposed, particularly in internet-facing deployments.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm