Skip to main content

AnythingLLM CVE-2026-48789

| EUVDEUVD-2026-39008 MEDIUM
Path Traversal (CWE-22)
2026-06-24 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible endpoint requires low-privilege authentication; impact is read-only directory listing disclosure with no integrity, availability, or scope-change consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 19:17 EUVD
Analysis Generated
Jun 24, 2026 - 18:16 vuln.today
CVE Published
Jun 24, 2026 - 17:13 cve.org
MEDIUM 4.3

DescriptionCVE.org

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared path containment helper rejects POSIX-style "../" traversal but does not reject Windows-style parent paths returned by path.relative(), such as "..". This vulnerability is fixed in 1.13.0.

AnalysisAI

Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege credentials
Delivery
Craft HTTP request with encoded Windows absolute path or path.relative() parent segment
Exploit
Submit to document folder listing endpoint
Execution
Bypass POSIX-only path containment check
Impact
Receive directory listing outside documents folder

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: a valid low-privilege authenticated session against the AnythingLLM instance (CVSS PR:L - unauthenticated access is not sufficient), a Windows-based deployment of AnythingLLM (the bypass is caused specifically by how Node.js path.relative() formats paths on Windows using backslashes and bare '..' segments), and network-level access to the document folder listing API endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N scores 4.3 (Medium), which is an accurate reflection of real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege user crafts an HTTP request to the AnythingLLM document listing endpoint, supplying an encoded absolute Windows path such as 'C:\Windows\System32' or a path.relative()-style '..' segment targeting a parent directory. The path containment helper passes the input because it only checks for POSIX-style '../' sequences. …
Remediation Upgrade AnythingLLM to version 1.13.0 or later, which contains the vendor-released patch correcting the Windows-specific path containment logic. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-4899 HIGH POC
8.8 Sep 12

SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulne

CVE-2023-4898 HIGH POC
7.5 Sep 12

Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high sev

CVE-2026-32626 CRITICAL
9.6 Mar 13

XSS in AnythingLLM 1.11.1 and earlier.

CVE-2026-32628 HIGH
7.7 Mar 13

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a

CVE-2026-32617 HIGH
7.1 Mar 13

AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where th

CVE-2026-41318 MEDIUM
5.4 Apr 24

Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject

CVE-2026-42456 MEDIUM
4.3 May 08

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-32719 MEDIUM
4.2 Mar 13

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import f

CVE-2026-32715 LOW
3.8 Mar 13

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-32717 LOW
2.7 Mar 13

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-47713 LOW
2.0 May 28

Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing

CVE-2026-45403 LOW
2.0 May 28

Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged au

Share

CVE-2026-48789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy