CVE-2026-5627
Description
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the combination of path.join and normalizePath allows attackers to bypass directory restrictions and access or delete arbitrary .json files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like package.json. The issue is resolved in version 1.12.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*range: <=1.9.1
- (no CPE)range: <=1.9.1
Patches
Vulnerability mechanics
References
2- github.com/mintplex-labs/anything-llm/commit/3444b9b0aa6764d72d53670ab4b1aaccdc6b7017nvdPatch
- huntr.com/bounties/597d41c5-7ea0-4786-80f4-bd536ec66374nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.