What is the CVSS score of CVE-2024-6842?

CVE-2024-6842 has a CVSS 3.0 base score of 7.5 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 77.3%.

Which versions of Anythingllm are affected by CVE-2024-6842?

CVE-2024-6842 presents notable security risk, a missing authentication vulnerability rated CVSS 7.5.. A patch is available.

Is there a public PoC exploit available for CVE-2024-6842?

Yes, a public proof-of-concept exploit is available for CVE-2024-6842. Prioritise patching immediately. EPSS: 77.3%.

How to fix or mitigate CVE-2024-6842?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.

Anythingllm CVE-2024-6842

HIGH

Missing Authentication for Critical Function (CWE-306)

2025-03-20 security@huntr.dev

Authentication Bypass Anythingllm

7.5

CVSS 3.0

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

Patch released

Mar 28, 2026 - 18:32 nvd

Patch available

PoC Detected

Oct 15, 2025 - 13:15 vuln.today

Public exploit code

CVE Published

Mar 20, 2025 - 10:15 nvd

HIGH 7.5

DescriptionNVD

In version 1.5.5 of mintplex-labs/anything-llm, the /setup-complete API endpoint allows unauthorized users to access sensitive system settings. The data returned by the currentSettings function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

AnalysisAI

AnythingLLM version 1.5.5 exposes sensitive system settings including search engine API keys through the unauthenticated /setup-complete endpoint. Attackers can steal API keys, enumerate system configuration, and leverage exposed credentials to compromise integrated services.

Technical ContextAI

The /setup-complete API endpoint calls the currentSettings function without authentication checks. The returned configuration data includes API keys for search engines (SerpAPI, Google Custom Search), embedding providers, vector databases, and other integrated services. These keys can be extracted and used to access the respective services at the organization's expense.

RemediationAI

Update to AnythingLLM version 1.5.6 or later. Rotate all API keys after patching. Never expose AnythingLLM directly to the internet without authentication. Implement network-level access restrictions. Monitor API key usage on all integrated services for unauthorized activity.

CVE-2024-6842 vulnerability details – vuln.today

Back

Anythingllm CVE-2024-6842

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code