CVE-2024-4287

Published: May 20, 2024Modified: Jul 10, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to `/api/workspace/:workspace-slug/update`, allowing it to be executed as part of a database query without restrictions. This flaw enables users with a manager role to craft a request that includes nested write operations, effectively allowing them to create new Administrator accounts.

Affected (1)

Products: Mintplexlabs: Anythingllm

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mintplexlabs Anythingllm	Before 1.0.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

https://github.com/mintplex-labs/anything-llm/commit/94b58249a37a21b1c08deaa2d1edfdecbb6deb18

Source: security@huntr.dev

Patch

https://huntr.com/bounties/34491fb7-5133-4e80-8782-74124350bbdb

Source: security@huntr.dev

ExploitThird Party Advisory

https://github.com/mintplex-labs/anything-llm/commit/94b58249a37a21b1c08deaa2d1edfdecbb6deb18

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://huntr.com/bounties/34491fb7-5133-4e80-8782-74124350bbdb

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.