CVE-2024-8196: Mintplexlabs AnythingLLM Auth Bypass Flaw

CVE-2024-8196 Overview

CVE-2024-8196 affects mintplex-labs/anything-llm desktop version v1.5.11 for Windows. The application binds server port 3001 to 0.0.0.0 by default without any authentication. Any attacker on the same network can reach the backend API and perform privileged operations. Reported impact includes full backend access and the ability to delete all data from workspaces. The flaw is tracked under CWE-306: Missing Authentication for Critical Function.

Critical Impact

Unauthenticated network attackers can fully control the AnythingLLM desktop backend, including data deletion and configuration changes.

Affected Products

• mintplex-labs anything-llm desktop v1.5.11
• Microsoft Windows (desktop installation target)
• AnythingLLM standalone document collector service on port 8888

Discovery Timeline

• 2025-03-20 - CVE-2024-8196 published to NVD
• 2025-07-15 - Last updated in NVD database

Technical Details for CVE-2024-8196

Vulnerability Analysis

The AnythingLLM desktop application starts a local server intended for the user's machine only. Instead of binding to the loopback interface 127.0.0.1, the listener binds to 0.0.0.0. This exposes port 3001 to every interface, including LAN and any reachable network. The backend ships without authentication enabled by default. Attackers with network reachability can invoke administrative endpoints directly. Reported actions include enumeration of workspaces, modification of settings, and deletion of all stored data. The same pattern affected the standalone document collector listener on port 8888, which also bound to all interfaces.

Root Cause

The root cause is twofold: a missing authentication layer on backend endpoints and an overly permissive bind address on the HTTP listener. Network discovery was not opt-in, so default installs exposed the API surface beyond the local host.

Attack Vector

Exploitation requires only network access to the host running AnythingLLM Desktop on port 3001. No credentials, user interaction, or elevated privileges are needed. An attacker on the same Wi-Fi network, a malicious local process, or a routable adjacent host can issue HTTP requests directly to the backend.

// Security patch in collector/index.js - Opt-in network discovery
 });
 
 app
-  .listen(process.env.COLLECTOR_PORT || 8888, async () => {
-    await wipeCollectorStorage();
-    console.log(
-      `[${
-        process.env.NODE_ENV || "development"
-      }] AnythingLLM Standalone Document processor listening on port ${
-        process.env.COLLECTOR_PORT || 8888
-      }`
-    );
-  })
+  .listen(
+    process.env.COLLECTOR_PORT || 8888,
+    "127.0.0.1", // Network discovery of document collector is always off.
+    async () => {
+      await wipeCollectorStorage();
+      console.log(
+        `[${
+          process.env.NODE_ENV || "development"
+        }] AnythingLLM Standalone Document processor listening on port ${
+          process.env.COLLECTOR_PORT || 8888
+        }.`
+      );
+    }
+  )
   .on("error", function (_) {
     process.once("SIGUSR2", function () {
       process.kill(process.pid, "SIGUSR2");

Source: GitHub commit 9bfe477 — the patch forces the collector to listen on 127.0.0.1, making network discovery opt-in.

Detection Methods for CVE-2024-8196

Indicators of Compromise

• Workspaces, documents, or chat history disappearing from AnythingLLM without user action
• Inbound TCP connections to port 3001 or 8888 from non-loopback source addresses on hosts running AnythingLLM Desktop
• HTTP requests to AnythingLLM admin or workspace API paths originating from unexpected hosts on the LAN
• Process AnythingLLM.exe listening on 0.0.0.0:3001 rather than 127.0.0.1:3001 in netstat output

Detection Strategies

• Enumerate hosts on internal networks for open port 3001 and verify the responding service is not AnythingLLM Desktop
• Run netstat -anob on Windows endpoints to identify AnythingLLM processes bound to non-loopback addresses
• Correlate firewall logs for outbound or lateral traffic to ports 3001 and 8888 on user workstations

Monitoring Recommendations

• Alert on any non-localhost TCP session establishing to AnythingLLM listening ports
• Track installed AnythingLLM Desktop versions across the fleet and flag installations at or below v1.5.11
• Monitor for mass-delete operations in AnythingLLM application logs that indicate workspace tampering

How to Mitigate CVE-2024-8196

Immediate Actions Required

• Upgrade AnythingLLM Desktop to a version that includes commit 9bfe477f10b188bfe3508ac29105df80d4522ece or later
• Block inbound traffic to ports 3001 and 8888 on host firewalls for any interface other than loopback
• Avoid running AnythingLLM Desktop on untrusted or shared networks until patched
• Back up workspace data before applying updates to recover from any prior tampering

Patch Information

The upstream fix is published in the mintplex-labs/anything-llm commit 9bfe477. The change binds the collector listener to 127.0.0.1 so network discovery is disabled by default. Additional details are available in the Huntr bounty notification.

Workarounds

• Configure the Windows Defender Firewall to block inbound connections to AnythingLLM Desktop ports from non-loopback sources
• Restrict the host to a private network profile and disable file and printer sharing exposure on the affected adapter
• Run AnythingLLM Desktop only while disconnected from untrusted networks until the patched build is deployed

# Configuration example: block external access to AnythingLLM ports on Windows
netsh advfirewall firewall add rule name="Block AnythingLLM 3001 Inbound" ^
  dir=in action=block protocol=TCP localport=3001 remoteip=LocalSubnet,Internet
netsh advfirewall firewall add rule name="Block AnythingLLM 8888 Inbound" ^
  dir=in action=block protocol=TCP localport=8888 remoteip=LocalSubnet,Internet