Login Sign Up

CVE-2024-0795

7.2 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers with admin or manager roles in Anything LLM to create new admin users without proper backend authentication, enabling privilege escalation. It affects instances where users already have elevated access. The flaw stems from improper access control (CWE-284).

💻 Affected Systems

Products:
  • Anything LLM
Versions: Versions before commit 9a237db3d1f66cdbcf5079599258f5fb251c5564
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to already have admin or manager role access to the instance.

📦 What is this software?

Anythingllm by Mintplexlabs

View all CVEs affecting Anythingllm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Anything LLM instance, allowing attackers to create persistent admin accounts, access sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized privilege escalation where existing admin/manager users can create additional admin accounts, bypassing intended access controls.

🟢

If Mitigated

Minimal impact if proper role-based access controls and authentication checks are implemented.

🌐 Internet-Facing: HIGH if instance is exposed to internet and has compromised admin credentials.
🏢 Internal Only: MEDIUM as it requires existing admin/manager access, but could facilitate lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires existing admin/manager credentials but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 9a237db3d1f66cdbcf5079599258f5fb251c5564 and later

Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/9a237db3d1f66cdbcf5079599258f5fb251c5564

Restart Required: Yes

Instructions:

1. Update Anything LLM to latest version. 2. Apply commit 9a237db3d1f66cdbcf5079599258f5fb251c5564. 3. Restart the application.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit admin/manager role assignments to only essential personnel and monitor for suspicious account creation.

Implement Additional Authentication Layer

all

Add multi-factor authentication or additional verification for user creation actions.

🧯 If You Can't Patch

  • Implement strict monitoring of user creation events and admin account activities.
  • Regularly audit admin accounts and remove unnecessary elevated privileges.

🔍 How to Verify

Check if Vulnerable:

Check if your Anything LLM version is before commit 9a237db3d1f66cdbcf5079599258f5fb251c5564.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify the commit hash includes 9a237db3d1f66cdbcf5079599258f5fb251c5564 and test that admin users cannot create new admin accounts without proper backend authentication.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected admin user creation events
  • Multiple admin accounts created in short time

Network Indicators:

  • Unusual API calls to user creation endpoints from admin accounts

SIEM Query:

source="anything-llm" AND event="user_created" AND role="admin"

📊 Metadata

CVE ID: CVE-2024-0795
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: March 2, 2024
Last Updated: January 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0795, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)