Unrated severityOSV Advisory· Published Dec 18, 2025· Updated Jan 22, 2026
CVE-2025-63390
CVE-2025-63390
Description
An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: v1.0.0, v1.1.0, v1.1.1, …
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.