Unrated severityOSV Advisory· Published Dec 18, 2025· Updated Jan 22, 2026

CVE-2025-63390

Description

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

Affected products

Mintplex Labs/Anything LLMOSV
Range: v1.0.0, v1.1.0, v1.1.1, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gist.github.com/Cristliu/0897bceac5fdc2d945304b5087a84f14mitre
gist.github.com/Cristliu/ba529c99abec87102e5ef36435d02a6dmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000