CVE-2024-10109 HIGH

CVE-2024-10109: Incorrect Authorization in mintplex-labs/anything-llm

Vendor Mintplex-Labs
Product mintplex-labs/anything-llm
Weakness CWE-863 · Incorrect authorization
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

What the vulnerability does

01Description

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of service on chats.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-41910 OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes CVE-2026-45831 CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read CVE-2024-49256 WordPress Htaccess File Editor plugin <= 1.0.18 - Broken Access Control vulnerability CVE-2026-33650 AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion