EUVD-2026-19637
GHSA-3593-xf56-f85v
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.
Analysis
Path traversal in mintplex-labs/anything-llm (versions ≤1.9.1) allows authenticated administrators to read or delete arbitrary JSON files on the server, bypassing directory restrictions in the AgentFlows component. Exploitation requires high privileges (administrator access) but achieves cross-scope impact including leaking sensitive API keys from configuration files or destroying critical package.json files. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all instances of AnythingLLM in your environment and document current versions via admin console or deployment logs. Within 7 days: Upgrade all affected instances to version 1.12.1 or later; test in non-production environment first. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today