Cyber Resilience

CVE-2026-24477

HighPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
28 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0157 72.1th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-24477 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-15 (Information Output Filtering).

Deeper analysis

AnythingLLM versions prior to 1.10.0 expose the QdrantApiKey in plaintext through the unauthenticated /api/setup-complete endpoint when the application is configured to use Qdrant as its vector database. The affected component is the setup status endpoint in this open-source LLM orchestration tool that manages retrieval-augmented generation workflows. The flaw is tracked as CWE-201 and carries a CVSS 4.0 score of 8.7.

An unauthenticated remote attacker can retrieve the API key and obtain full read/write access to the Qdrant instance. Because Qdrant stores the core knowledge base for semantic search, the attacker can extract or alter embedded documents, thereby compromising the retrieval functionality and indirectly disclosing any confidential content that users have uploaded into AnythingLLM.

The referenced GitHub Security Advisory GHSA-gm94-qc2p-xcwf states that the issue is resolved in version 1.10.0, which prevents the key from being returned by the endpoint.

The EPSS score rose from a low baseline to a peak of 0.1400 (current value 0.1041), indicating increased exploitation interest after disclosure. The vulnerability is directly relevant to AI/ML deployments that rely on AnythingLLM for RAG over private corpora.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this…

more

QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: anythingllm, llm, qdrant

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

The CVE directly enables unauthenticated exploitation of a public-facing web endpoint to obtain database API credentials (T1190), which are stored and exposed insecurely (T1552), granting full access to the vector DB for data access/manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13059Same product: Mintplexlabs Anythingllm
CVE-2026-32628Same product: Mintplexlabs Anythingllm
CVE-2026-48116Same product: Mintplexlabs Anythingllm
CVE-2026-24478Same product: Mintplexlabs Anythingllm
CVE-2026-32617Same product: Mintplexlabs Anythingllm
CVE-2024-6842Same product: Mintplexlabs Anythingllm
CVE-2026-5627Same product: Mintplexlabs Anythingllm
CVE-2026-32626Same product: Mintplexlabs Anythingllm
CVE-2020-37093Shared CWE-201
CVE-2020-37150Shared CWE-201

Affected Assets

mintplexlabs
anythingllm
≤ 1.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like the plain-text exposure of the Qdrant API key in AnythingLLM's unauthenticated /api/setup-complete endpoint, as patched in version 1.10.0.

prevent

Mandates identification of unauthenticated system endpoints like /api/setup-complete and implementation of protections to prevent disclosure of sensitive information such as the Qdrant API key.

prevent

Requires filtering of sensitive information, such as API keys, from outputs sent to unauthenticated users via API responses.

References