Skip to main content

AnythingLLM CVE-2026-45403

| EUVDEUVD-2026-33067 LOW
Improper Link Resolution Before File Access (CWE-59)
2026-05-28 GitHub_M
2.0
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.0 LOW
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 28, 2026 - 23:02 EUVD
Source Code Evidence Fetched
May 28, 2026 - 21:51 vuln.today
Analysis Generated
May 28, 2026 - 21:51 vuln.today

DescriptionGitHub Advisory

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.

AnalysisAI

Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged authenticated user to read files outside the configured filesystem sandbox by placing a symbolic link inside an agent-accessible source directory. The recursive copy helper validates only top-level paths, then descends into child entries using Node.js fs.stat() and fs.copyFile(), both of which transparently follow symlinks - silently redirecting reads to targets outside the allowed root and materializing their contents in an accessible destination. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS score of 2.0 reflects that exploitation is constrained to high-privilege accounts with high complexity and required user interaction.

Technical ContextAI

AnythingLLM (CPE: cpe:2.3:a:mintplex-labs:anything-llm:*:*:*:*:*:*:*:*) is a Node.js application that exposes AI agents with optional filesystem capabilities. The vulnerable component is server/utils/agents/aibitat/plugins/filesystem/copy-file.js. The root cause maps to CWE-59 (Improper Link Resolution Before File Access - 'Link Following'): the recursive copy helper called fs.stat() on each child entry before copying it with fs.copyFile(). In Node.js, fs.stat() resolves symbolic links and returns metadata for the link target rather than the link itself, and fs.copyFile() copies the resolved target's contents - neither API surfaces the fact that a symlink was traversed. A symlink planted anywhere inside the allowed source tree can therefore redirect the copy operation to arbitrary files on the host filesystem, including secrets and credentials. The confirmed fix in commit 21ce03087145a4261c1de03b056fba639f699c09 replaces fs.stat() with fs.lstat(), which reports metadata for the link node itself rather than its target, and inserts an explicit guard that throws an error and aborts the copy if any entry is identified as a symbolic link.

RemediationAI

The primary fix is upgrading AnythingLLM to version 1.13.0, which resolves the vulnerability by replacing fs.stat() with fs.lstat() in the recursive copy helper and adding an explicit guard that rejects symbolic links encountered during agent copy operations. The patch is documented in GitHub Security Advisory GHSA-vjrp-43mm-j7vw (https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-vjrp-43mm-j7vw) and directly visible in commit 21ce03087145a4261c1de03b056fba639f699c09 (https://github.com/Mintplex-Labs/anything-llm/commit/21ce03087145a4261c1de03b056fba639f699c09). As a compensating control prior to patching, administrators should disable the agent filesystem copy capability entirely if it is not operationally required - this eliminates the attack surface with no impact on core LLM chat functionality. Where the feature must remain active, restrict agent filesystem tool access to the minimum set of accounts with a genuine operational need, audit agent-accessible source directories for any pre-existing symbolic links, and ensure the AnythingLLM process runs under an OS account with the narrowest possible filesystem permissions to reduce the set of sensitive files reachable via symlink traversal.

CVE-2023-4899 HIGH POC
8.8 Sep 12

SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulne

CVE-2023-4898 HIGH POC
7.5 Sep 12

Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high sev

CVE-2026-32626 CRITICAL
9.6 Mar 13

XSS in AnythingLLM 1.11.1 and earlier.

CVE-2026-32628 HIGH
7.7 Mar 13

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a

CVE-2026-32617 HIGH
7.1 Mar 13

AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where th

CVE-2026-41318 MEDIUM
5.4 Apr 24

Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject

CVE-2026-48789 MEDIUM
4.3 Jun 24

Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to

CVE-2026-42456 MEDIUM
4.3 May 08

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-32719 MEDIUM
4.2 Mar 13

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import f

CVE-2026-32715 LOW
3.8 Mar 13

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-32717 LOW
2.7 Mar 13

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-47713 LOW
2.0 May 28

Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing

Share

CVE-2026-45403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy