AVID-2026-R1459

Description

Privilege Escalation via Improper Input Validation in mintplex-labs/anything-llm (CVE-2024-3101)

Details

In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating ‘Multi-User Mode’. By sending a specially crafted curl request with the ‘multi_user_mode’ parameter set to false, an attacker can deactivate ‘Multi-User Mode’. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access.

Reason for inclusion in AVID: The CVE describes a privilege escalation via improper input validation in mintplex-labs/anything-llm, a software component used within AI systems to manage LLM deployments. Exploiting this vulnerability allows an attacker to create an admin account without a password, compromising the AI runtime/deployment stack. This is a software supply-chain issue within AI software stacks (not hardware/firmware), affecting components used to build, deploy, or run general-purpose AI systems.

References

• NVD entry
• https://huntr.com/bounties/c114c03e-3348-450f-88f7-538502047bcc
• https://github.com/mintplex-labs/anything-llm/commit/52fac844221a9b951d08ceb93c4c014e9397b1f2

Affected or Relevant Artifacts

• Developer: mintplex-labs
• Deployer: mintplex-labs
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-04-10
• Version: 0.3.3
• AVID Entry