AnythingLLM's password recovery endpoint leaks information about valid usernames through differential error messages, enabling account enumeration attacks. Public exploit code exists for this low-complexity network vulnerability that requires no authentication. The issue has been patched as of commit e287fab56089cf8fcea9ba579a3ecdeca0daa313.
Information Disclosure
AI / ML
Anythingllm
NVD
GitHub
CVSS 3.1
5.3
EPSS
0.1%