AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

授权机制不正确

AnythingLLM 安全漏洞

AnythingLLM是Mintplex开源的一个一体化AI应用程序。 AnythingLLM 1.11.1及之前版本存在安全漏洞，该漏洞源于在多用户模式下，被暂停的用户在浏览器扩展API密钥路径上未被阻止，可能导致被暂停的用户仍可访问浏览器扩展端点并继续上传操作。

N/A

N/A