How to fix CVE-2024-6842?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.

Is Anythingllm affected by CVE-2024-6842?

CVE-2024-6842 presents notable security risk, a missing authentication vulnerability rated CVSS 7.5. Attackers could bypass security controls to gain unauthorized access to protected resources and sensitive data.

CVE-2024-6842

HIGH

2025-03-20 [email protected]

7.5

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

Patch Released

Mar 28, 2026 - 18:32 nvd

Patch available

PoC Detected

Oct 15, 2025 - 13:15 vuln.today

Public exploit code

CVE Published

Mar 20, 2025 - 10:15 nvd

HIGH 7.5

Description

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

Analysis

AnythingLLM version 1.5.5 exposes sensitive system settings including search engine API keys through the unauthenticated /setup-complete endpoint. Attackers can steal API keys, enumerate system configuration, and leverage exposed credentials to compromise integrated services.

Technical Context

The /setup-complete API endpoint calls the currentSettings function without authentication checks. The returned configuration data includes API keys for search engines (SerpAPI, Google Custom Search), embedding providers, vector databases, and other integrated services. These keys can be extracted and used to access the respective services at the organization's expense.

Affected Products

['AnythingLLM <= 1.5.5', 'mintplex-labs/anything-llm']

Remediation

Update to AnythingLLM version 1.5.6 or later. Rotate all API keys after patching. Never expose AnythingLLM directly to the internet without authentication. Implement network-level access restrictions. Monitor API key usage on all integrated services for unauthorized activity.

Priority Score

135

Low Medium High Critical

KEV: 0

EPSS: +77.3

CVSS: +38

POC: +20

CVE-2024-6842 vulnerability details – vuln.today

Back

CVE-2024-6842

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-6842

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code