CVE-2026-5627 Overview
CVE-2026-5627 is a path traversal vulnerability [CWE-29] in mintplex-labs/anything-llm versions up to and including 1.9.1. The flaw resides in the AgentFlows component, specifically the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Improper use of path.join combined with normalizePath allows authenticated attackers to escape directory restrictions. Attackers can read or delete arbitrary .json files on the server. This enables disclosure of sensitive configuration data containing API keys or denial of service by removing files such as package.json. The issue is resolved in version 1.12.1.
Critical Impact
Authenticated network attackers can read or delete arbitrary .json files on the server, leading to API key disclosure and denial of service.
Affected Products
- mintplex-labs anything-llm versions up to and including 1.9.1
- AgentFlows component in server/utils/agentFlows/index.js
- Deployments exposing the AnythingLLM agent API to authenticated users
Discovery Timeline
- 2026-04-07 - CVE-2026-5627 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-5627
Vulnerability Analysis
The vulnerability stems from insufficient validation of user-supplied flow identifiers passed to the AgentFlows subsystem. The loadFlow and deleteFlow methods construct file paths using path.join with the attacker-controlled input. While normalizePath is applied, it does not enforce that the resulting path remains within the intended flows directory. An attacker can therefore supply traversal sequences such as ../../ and target any .json file the AnythingLLM process can access.
Reading arbitrary files exposes configuration data, including API keys for downstream LLM providers and vector stores. Deleting critical files like package.json or workspace metadata triggers application failure. The patch in version 1.12.1 introduces an isWithin helper that confirms resolved paths remain inside the trusted flows directory before file operations execute.
Root Cause
The root cause is reliance on path normalization without a containment check [CWE-29]. path.join resolves .. segments, and normalizePath only canonicalizes separators. Neither function verifies that the final path is a descendant of the flows storage directory, leaving traversal possible.
Attack Vector
Exploitation requires network access and authenticated privileges sufficient to invoke agent flow operations. An attacker submits a flow identifier containing directory traversal sequences to the loadFlow or deleteFlow endpoints. The server returns the contents of arbitrary .json files or deletes them, depending on the method invoked.
const path = require("path");
const { v4: uuidv4 } = require("uuid");
const { FlowExecutor, FLOW_TYPES } = require("./executor");
-const { normalizePath } = require("../files");
+const { normalizePath, isWithin } = require("../files");
const { safeJsonParse } = require("../http");
/**
Source: GitHub Commit 3444b9b
The patch imports an isWithin helper to validate that resolved flow paths fall inside the permitted directory before any read or delete operation proceeds.
Detection Methods for CVE-2026-5627
Indicators of Compromise
- Requests to AnythingLLM agent flow endpoints containing ../ or URL-encoded %2e%2e%2f sequences in the flow identifier parameter.
- Unexpected access or deletion of .json files outside the configured storage/plugins/agent-flows directory.
- Missing or truncated package.json, workspace configuration, or environment metadata files on AnythingLLM servers.
Detection Strategies
- Inspect AnythingLLM application logs for loadFlow or deleteFlow calls referencing identifiers containing traversal characters.
- Monitor file system audit logs for .json file reads or deletions originating from the AnythingLLM process outside its expected working directories.
- Correlate administrative API authentication events with subsequent anomalous flow operations to detect compromised credentials.
Monitoring Recommendations
- Enable verbose request logging on the AnythingLLM server and forward logs to a centralized analytics platform.
- Alert on file integrity changes to critical files such as package.json, .env, and workspace JSON definitions.
- Track outbound API key usage anomalies that may indicate disclosure of leaked credentials.
How to Mitigate CVE-2026-5627
Immediate Actions Required
- Upgrade mintplex-labs/anything-llm to version 1.12.1 or later, which adds the isWithin containment check.
- Rotate any API keys, tokens, and provider credentials stored in AnythingLLM configuration files that may have been exposed.
- Audit existing flow files and server-side .json files for unauthorized access or unexplained deletions.
Patch Information
The fix is implemented in commit 3444b9b0aa6764d72d53670ab4b1aaccdc6b7017 and shipped in AnythingLLM 1.12.1. The patch adds an isWithin helper imported from ../files and applies it inside the loadFlow and deleteFlow methods of server/utils/agentFlows/index.js. See the GitHub commit and the Huntr bounty report for details.
Workarounds
- Restrict access to AnythingLLM administrative and agent endpoints using network segmentation and reverse-proxy allow lists until the upgrade is applied.
- Limit which accounts hold privileges to invoke agent flow operations, reducing the population of users who can reach loadFlow and deleteFlow.
- Run the AnythingLLM process under a dedicated low-privilege user with file system access constrained to its required directories.
# Upgrade AnythingLLM to the patched release
git fetch --all --tags
git checkout v1.12.1
yarn install --frozen-lockfile
yarn prod:server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
