CVE-2024-0404 – This CVE describes a mass assignment vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-0404?

CVE-2024-0404 has a CVSS score of 9.1 (CRITICAL). This CVE describes a mass assignment vulnerability in the Anything-LLM software that allows attackers to create administrative accounts by intercepting and modifying invitation requests. Any organization running vulnerable versions of Anything-LLM with the invitation feature enabled is affected. Attackers can gain full administrative control over the system.

📋 TL;DR

This CVE describes a mass assignment vulnerability in the Anything-LLM software that allows attackers to create administrative accounts by intercepting and modifying invitation requests. Any organization running vulnerable versions of Anything-LLM with the invitation feature enabled is affected. Attackers can gain full administrative control over the system.

💻 Affected Systems

Products:

mintplex-labs/anything-llm

Versions: Versions prior to commit 8cd3a92c660b202655d99bee90b2864694c99946

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when using the invitation system feature. Systems not using invitation links are not affected.

📦 What is this software?

Anythingllm by Mintplexlabs

View all CVEs affecting Anythingllm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where attackers gain administrative access, can exfiltrate sensitive data, modify system configurations, deploy malware, or disrupt operations entirely.

🟠

Likely Case

Unauthorized administrative account creation leading to data theft, privilege escalation, and potential lateral movement within the environment.

🟢

If Mitigated

Limited impact with proper input validation and role-based access controls preventing unauthorized privilege escalation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires intercepting invitation requests (man-in-the-middle position) but is technically simple once that position is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 8cd3a92c660b202655d99bee90b2864694c99946 and later

Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946

Restart Required: Yes

Instructions:

1. Update to the latest version of Anything-LLM. 2. Pull the latest code from the repository. 3. Restart the application. 4. Verify the fix by checking that the role parameter is no longer accepted from user input.

🔧 Temporary Workarounds

Disable invitation system

all

Temporarily disable the invitation feature until patching can be completed

Modify application configuration to disable invitation endpoints

Implement request validation middleware

all

Add input validation to strip or reject unexpected role parameters

Implement server-side validation for all user inputs

🧯 If You Can't Patch

Implement network segmentation to isolate the vulnerable system
Enable detailed logging and monitoring for suspicious account creation activities

🔍 How to Verify

Check if Vulnerable:

Test if the /api/invite/:code endpoint accepts role parameters in POST requests. If it allows setting role to admin, the system is vulnerable.

Check Version:

Check the git commit hash or version in the application configuration

Verify Fix Applied:

Attempt to send a POST request to the invitation endpoint with a role parameter. The request should be rejected or the role parameter should be ignored.

📡 Detection & Monitoring

Log Indicators:

Unusual account creation events
Multiple admin account creations from single IP
Requests containing role parameters in invitation endpoints

Network Indicators:

HTTP POST requests to /api/invite/* containing role parameters
Unusual traffic patterns to invitation endpoints

SIEM Query:

source="web_logs" AND (uri="/api/invite/*" AND method="POST" AND (body CONTAINS "role" OR params CONTAINS "role"))

📊 Metadata

CVE ID: CVE-2024-0404

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-915

Published: April 16, 2024

Last Updated: July 9, 2025

🔗 References

https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946 Patch
https://huntr.com/bounties/b4355bae-766a-4bb0-942b-607bc491b23d Exploit,Third Party Advisory
https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946 Patch
https://huntr.com/bounties/b4355bae-766a-4bb0-942b-607bc491b23d Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0404, you might also want to check these: