CVE-2026-24477 PoC — AnythingLLM 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-24477.yaml

Associated Vulnerability

Title:AnythingLLM 安全漏洞 (CVE-2026-24477)
Description:AnythingLLM是Mintplex开源的一个一体化AI应用程序。 AnythingLLM 1.10.0之前版本存在安全漏洞，该漏洞源于/api/setup-complete端点以明文暴露QdrantApiKey，可能导致攻击者获得对向量数据库的读写访问权限。

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.

File Snapshot


 id: CVE-2026-24477

info:
  name: AnythingLLM - Information Disclosure
  author: DhiyaneshDk
  sever

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!