CVE-2024-8196: Missing Authentication for Critical Function in mintplex-labs/anything-llm

9.8 CVSS

Description

In mintplex-labs/anything-llm v1.5.11 desktop version for Windows, the application opens server port 3001 on 0.0.0.0 with no authentication by default. This vulnerability allows an attacker to gain full backend access, enabling them to perform actions such as deleting all data from the workspace.

Classification

CVE ID: CVE-2024-8196

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-306 Missing Authentication for Critical Function

Affected Products

Vendor: mintplex-labs

Product: mintplex-labs/anything-llm

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.11% (probability of being exploited)

EPSS Percentile: 31.27% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8196
https://huntr.com/bounties/dbde1c71-7aa5-46f6-847a-d89793cf97a9
https://github.com/mintplex-labs/anything-llm/commit/9bfe477f10b188bfe3508ac29105df80d4522ece

Timeline

2025-03-20 11:40:37 UTC
CVE

Missing Authentication for Critical Function in mintplex-labs/anything-llm