CVE-2026-21484 MEDIUM

CVE-2026-21484: AnythingLLM Vulnerable to Username Enumeration w/ Password Recovery

Vendor Mintplex-Labs
Product anything-llm
Weakness CWE-203
Published January 3, 2026
Last update January 5, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.

Key dates

02Disclosure timeline

January 3, 2026 CVE published
January 5, 2026 Record updated