What is the CVSS score of CVE-2024-13060?

CVE-2024-13060 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Docker are affected by CVE-2024-13060?

Organizations using AnythingLLM Docker should be aware of moderate risk from CVE-2024-13060, a missing authorization vulnerability rated CVSS 4.3.. A patch is available.

Is there a public PoC exploit available for CVE-2024-13060?

Yes, a public proof-of-concept exploit is available for CVE-2024-13060. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2024-13060?

Within 30 days: Identify affected systems running AnythingLLM Docker and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Docker CVE-2024-13060

MEDIUM

Missing Authorization (CWE-862)

2025-03-20 security@huntr.dev

Authentication Bypass Docker Anythingllm Docker

4.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

Patch released

Mar 28, 2026 - 18:32 nvd

Patch available

PoC Detected

Oct 15, 2025 - 13:15 vuln.today

Public exploit code

CVE Published

Mar 20, 2025 - 10:15 nvd

MEDIUM 4.3

DescriptionCVE.org

A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.

AnalysisAI

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1. Affected products include: Mintplexlabs Anythingllm Docker. Version information: version 1.3.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-47172 CRITICAL Act Now

9.5 Jun 11

Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote

CVE-2026-47174 CRITICAL Act Now

9.5 Jun 11

Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as t

CVE-2026-53755 HIGH This Week

8.6 Jun 16

Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers

CVE-2024-13060 vulnerability details – vuln.today

Back

Docker CVE-2024-13060

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code