Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-7783

CVE-2024-7783: Mintplex AnythingLLM Info Disclosure Flaw

CVE-2024-7783 is an information disclosure vulnerability in Mintplexlabs AnythingLLM where passwords are stored in plaintext within JWT tokens. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-7783 Overview

CVE-2024-7783 affects mintplex-labs/anything-llm, an open-source local large language model (LLM) application. In single-user mode, the application stores the user password inside the JSON Web Token (JWT) issued as a bearer token. Because JWTs are only Base64-encoded by default, any party that obtains the token can decode it and read the password in plaintext. This is a cleartext storage of sensitive information weakness [CWE-312]. The issue is fixed in version 1.0.3.

Critical Impact

An attacker who captures or otherwise obtains a valid AnythingLLM bearer token in single-user mode can decode it offline and recover the account password in plaintext, enabling full account takeover.

Affected Products

  • mintplex-labs anything-llm prior to version 1.0.3
  • Deployments running in single-user authentication mode
  • All platforms (self-hosted, Docker, desktop) on affected versions

Discovery Timeline

  • 2024-10-29 - CVE-2024-7783 published to NVD
  • 2024-10-31 - Last updated in NVD database

Technical Details for CVE-2024-7783

Vulnerability Analysis

AnythingLLM supports a single-user mode where authentication is performed against a single shared password. When a user authenticates, the server issues a JWT containing identity claims used by downstream middleware to validate subsequent requests. In the vulnerable code path, the JWT payload includes the raw password value rather than an opaque identifier, a hash, or an encrypted reference.

JWTs are not encrypted by default. The payload is Base64URL-encoded and signed, which protects integrity but not confidentiality. Any actor with read access to the token, through browser storage, logs, proxies, or backups, can decode the payload and recover the credential.

The upstream fix introduces an EncryptionManager utility that encrypts the sensitive value before it is placed into the JWT and decrypts it during request validation. This removes the plaintext credential from the token surface.

Root Cause

The root cause is cleartext storage of sensitive information [CWE-312] inside a token that is treated as a public bearer artifact. The single-user authentication flow placed the password directly into the JWT claims used by validatedRequest middleware, conflating the credential with the session identity claim.

Attack Vector

An attacker who gains access to a valid JWT, for example through cross-site scripting against the web UI, a stolen browser profile, exposed logs, or a misconfigured reverse proxy that records Authorization headers, can Base64-decode the token offline. No network interaction with the server is required to recover the password. The recovered credential can then be reused on the same instance or replayed where users have reused passwords.

javascript
// Patch in server/utils/middleware/validatedRequest.js
 const { SystemSettings } = require("../../models/systemSettings");
 const { User } = require("../../models/user");
+const { EncryptionManager } = require("../EncryptionManager");
 const { decodeJWT } = require("../http");
+const EncryptionMgr = new EncryptionManager();
 
 async function validatedRequest(request, response, next) {
   const multiUserMode = await SystemSettings.isMultiUserMode();
// Source: https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba

The patch wires EncryptionManager into the validation middleware so the credential carried via the JWT is encrypted at rest in the token and decrypted server-side, eliminating the plaintext exposure.

Detection Methods for CVE-2024-7783

Indicators of Compromise

  • Presence of AnythingLLM versions earlier than 1.0.3 running in single-user mode.
  • JWT bearer tokens whose decoded payloads contain a password field or any field with a plaintext credential value.
  • Authentication success events from unexpected IP addresses or user agents following token exposure.

Detection Strategies

  • Inventory AnythingLLM deployments and compare installed versions against 1.0.3. Flag any earlier release for remediation.
  • Inspect any captured Authorization: Bearer tokens in proxy, WAF, or browser DevTools captures and Base64-decode the middle segment to verify whether plaintext credentials are present.
  • Review access logs for Authorization headers being inadvertently written to disk by reverse proxies such as nginx or Apache.

Monitoring Recommendations

  • Monitor outbound and inbound traffic to AnythingLLM endpoints for anomalous authentication patterns following any suspected token disclosure.
  • Alert on log files or backup artifacts that contain eyJ-prefixed strings co-located with AnythingLLM hostnames.
  • Track login activity from previously unseen sources after upgrading and rotating credentials.

How to Mitigate CVE-2024-7783

Immediate Actions Required

  • Upgrade AnythingLLM to version 1.0.3 or later, which incorporates the EncryptionManager fix in commit 4430ddb.
  • Rotate the single-user password after upgrading, since prior tokens may still expose the old credential.
  • Invalidate all existing JWTs by rotating the JWT signing secret so legacy tokens cannot be reused.
  • Audit logs, browser storage, and proxy caches for any retained AnythingLLM bearer tokens and purge them.

Patch Information

The vulnerability is fixed in AnythingLLM version 1.0.3. The fix is contained in the upstream commit referenced in the GitHub commit note and was reported through the Huntr bug bounty report. The patch introduces an EncryptionManager invoked from server/endpoints/system.js and server/utils/middleware/validatedRequest.js to encrypt credential material carried via the JWT.

Workarounds

  • Place AnythingLLM behind an authenticating reverse proxy that strips or rewrites the Authorization header before it is logged.
  • Restrict network exposure of the AnythingLLM instance to trusted clients via firewall or VPN until the upgrade is applied.
  • Use a password unique to AnythingLLM so disclosure does not propagate to other systems.
bash
# Upgrade AnythingLLM Docker deployment to a patched release
docker pull mintplexlabs/anythingllm:latest
docker stop anythingllm && docker rm anythingllm
docker run -d --name anythingllm \
  -p 3001:3001 \
  -v $PWD/anythingllm-storage:/app/server/storage \
  -e JWT_SECRET="$(openssl rand -hex 32)" \
  mintplexlabs/anythingllm:latest
# Verify version is >= 1.0.3 in the application UI after restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne