CVE-2026-24477 Overview
CVE-2026-24477 is a sensitive information exposure vulnerability in AnythingLLM, an application that transforms content into context for Large Language Models (LLMs) to use as references during chatting. When AnythingLLM is configured to use Qdrant as the vector database with an API key, the QdrantApiKey is exposed in plain text to unauthenticated users via the /api/setup-complete endpoint.
Critical Impact
Unauthenticated attackers can obtain the Qdrant API key, gaining full read/write access to the vector database. This can lead to complete compromise of the semantic search functionality and indirect leakage of confidential uploaded documents stored in the RAG knowledge base.
Affected Products
- Mintplexlabs AnythingLLM versions prior to 1.10.0
Discovery Timeline
- 2026-01-27 - CVE-2026-24477 published to NVD
- 2026-01-28 - Last updated in NVD database
Technical Details for CVE-2026-24477
Vulnerability Analysis
This vulnerability falls under CWE-201 (Insertion of Sensitive Information Into Sent Data), where sensitive configuration data is inadvertently exposed through an API endpoint. The core issue lies in the /api/setup-complete endpoint returning configuration details that include the Qdrant API key without requiring authentication.
Qdrant is a popular vector similarity search engine commonly used in Retrieval-Augmented Generation (RAG) architectures. In AnythingLLM deployments, Qdrant typically stores embeddings of all uploaded documents and content that form the knowledge base for LLM interactions. The exposure of the API key grants attackers complete control over this critical data store.
Root Cause
The root cause is improper access control on the /api/setup-complete endpoint. The endpoint was designed to return configuration status information but failed to filter out sensitive credentials before responding to unauthenticated requests. The QdrantApiKey was included in the response payload without proper redaction or authentication checks.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Sending an unauthenticated HTTP request to the /api/setup-complete endpoint on a vulnerable AnythingLLM instance
- Parsing the JSON response to extract the QdrantApiKey value
- Using the obtained API key to connect directly to the Qdrant vector database instance
- Performing read operations to exfiltrate document embeddings and associated metadata
- Executing write operations to corrupt, delete, or inject malicious data into the knowledge base
The attack is particularly severe because it enables indirect access to confidential documents that users have uploaded to AnythingLLM, even though the documents themselves may not be directly exposed.
Detection Methods for CVE-2026-24477
Indicators of Compromise
- Unusual or unexpected requests to the /api/setup-complete endpoint, especially from external IP addresses
- Unauthorized access attempts to the Qdrant database from IP addresses not associated with the AnythingLLM application server
- Anomalous read or write operations on the Qdrant vector database outside normal application patterns
- Evidence of bulk data extraction or enumeration activities against the vector database
Detection Strategies
- Monitor web server access logs for requests to /api/setup-complete from unauthenticated sessions or suspicious source IPs
- Implement alerting on Qdrant database connections originating from unexpected network locations
- Review application logs for API key usage patterns that deviate from normal AnythingLLM operations
- Deploy web application firewalls (WAF) with rules to detect reconnaissance activities against setup endpoints
Monitoring Recommendations
- Enable comprehensive logging on both the AnythingLLM application and Qdrant database instances
- Implement network segmentation monitoring to detect unexpected communication between the Qdrant database and external networks
- Configure alerts for any Qdrant API key authentication from IP addresses outside the expected application infrastructure
- Regularly audit access patterns to sensitive API endpoints
How to Mitigate CVE-2026-24477
Immediate Actions Required
- Upgrade AnythingLLM to version 1.10.0 or later immediately
- Rotate the Qdrant API key if you suspect potential exposure
- Restrict network access to the Qdrant database to only the AnythingLLM application server
- Review Qdrant access logs for any unauthorized connections prior to patching
Patch Information
Mintplex Labs has released version 1.10.0 of AnythingLLM which addresses this vulnerability. The patch ensures that sensitive credentials like the QdrantApiKey are no longer exposed through the /api/setup-complete endpoint. Organizations should update to this version or later to remediate the vulnerability.
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-gm94-qc2p-xcwf.
Workarounds
- Implement network-level access controls to restrict access to the AnythingLLM application from trusted networks only
- Deploy a reverse proxy or WAF to block unauthenticated access to the /api/setup-complete endpoint
- Configure Qdrant with IP allowlisting to only accept connections from the AnythingLLM application server
- Place the Qdrant database on an isolated network segment not accessible from the internet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
