Vulnerabilities > CVE-2024-0798 - Unspecified vulnerability in Mintplexlabs Anythingllm

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

mintplexlabs

NVD

Published: 2024-02-26

Updated: 2025-02-27

Summary

A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity.

Vulnerable Configurations

Part	Description	Count
Application	Mintplexlabs Mintplexlabs Anythingllm -	1

References

https://github.com/mintplex-labs/anything-llm/commit/d5cde8b7c27a47ab45b05b441db16751537f1733
https://github.com/mintplex-labs/anything-llm/commit/d5cde8b7c27a47ab45b05b441db16751537f1733
https://huntr.com/bounties/607f03a0-ab4d-4905-b253-3d28bbbd363c
https://huntr.com/bounties/607f03a0-ab4d-4905-b253-3d28bbbd363c