CVE-2026-5627 Overview
A critical path traversal vulnerability has been identified in mintplex-labs/anything-llm versions up to and including 1.9.1. The vulnerability exists within the AgentFlows component and stems from improper handling of user input in the loadFlow and deleteFlow methods located in server/utils/agentFlows/index.js. Attackers can exploit the flawed combination of path.join and normalizePath functions to bypass directory restrictions, enabling access to or deletion of arbitrary .json files on the server.
Critical Impact
This vulnerability enables attackers with high privileges to read sensitive configuration files containing API keys (information disclosure) or delete critical application files such as package.json (denial of service), potentially compromising the entire AnythingLLM deployment.
Affected Products
- mintplex-labs/anything-llm versions up to and including 1.9.1
- AnythingLLM deployments using the AgentFlows component
- Server installations with .json configuration files containing sensitive data
Discovery Timeline
- 2026-04-07 - CVE-2026-5627 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-5627
Vulnerability Analysis
This path traversal vulnerability (CWE-29) allows attackers to escape the intended directory context when loading or deleting flow configurations. The vulnerability is particularly dangerous because it enables both read and delete operations on arbitrary .json files across the server filesystem.
The attack requires network access and high privileges (such as administrator access to the AnythingLLM instance), but once these prerequisites are met, the impact extends beyond the application's scope—affecting other applications and data on the same server. This cross-scope impact makes the vulnerability especially concerning in shared hosting environments or enterprise deployments where multiple sensitive applications may coexist.
Root Cause
The root cause lies in the insufficient path validation logic within the AgentFlows utility module. The original implementation relied on path.join combined with normalizePath to construct file paths, but this combination fails to prevent directory traversal sequences (such as ../) from escaping the designated flows directory. The vulnerability specifically affects the loadFlow and deleteFlow methods, which accept user-controlled input without properly validating that the resolved path remains within the expected directory boundary.
Attack Vector
The attack is network-based, requiring the attacker to have authenticated access with high privileges (administrator-level) to the AnythingLLM application. The attacker crafts malicious flow names containing directory traversal sequences to target files outside the intended agentFlows directory. For example, an attacker could request to load or delete a flow named ../../config/settings to access files in parent directories.
The exploitation path involves:
- Authenticating to the AnythingLLM instance with administrator privileges
- Invoking the loadFlow or deleteFlow API endpoints with crafted path traversal payloads
- The server processes the malicious path, bypassing directory restrictions due to flawed path handling
- Arbitrary .json files are read or deleted based on the method invoked
const path = require("path");
const { v4: uuidv4 } = require("uuid");
const { FlowExecutor, FLOW_TYPES } = require("./executor");
-const { normalizePath } = require("../files");
+const { normalizePath, isWithin } = require("../files");
const { safeJsonParse } = require("../http");
/**
Source: GitHub Commit
The security patch introduces the isWithin helper function from the files utility module, which validates that the resolved file path remains within the designated directory boundary before proceeding with file operations.
Detection Methods for CVE-2026-5627
Indicators of Compromise
- Unusual access patterns to the loadFlow or deleteFlow API endpoints with path traversal sequences (../, ..%2f, etc.)
- Missing or corrupted .json configuration files, particularly package.json or API key files
- Error logs indicating file access attempts outside the agentFlows directory
- Unexpected API key rotation requests following potential credential exposure
Detection Strategies
- Monitor API request logs for flow names containing directory traversal patterns such as ../, ..\\, or URL-encoded variants
- Implement file integrity monitoring on critical configuration files including package.json and any files containing API credentials
- Configure web application firewall (WAF) rules to detect and block path traversal attempts in request parameters
- Enable verbose logging on the AnythingLLM server to capture all flow load and delete operations with full path resolution details
Monitoring Recommendations
- Deploy SentinelOne agents on servers hosting AnythingLLM to detect anomalous file access patterns and potential post-exploitation activity
- Set up alerts for file deletion events on critical application files outside the expected directories
- Implement audit logging for all administrative actions within AnythingLLM, particularly flow management operations
- Establish baseline behavior for normal flow operations to identify anomalous access patterns
How to Mitigate CVE-2026-5627
Immediate Actions Required
- Upgrade mintplex-labs/anything-llm to version 1.12.1 or later, which contains the security fix
- Review server logs for any evidence of exploitation attempts targeting the loadFlow or deleteFlow endpoints
- Audit API key files and configuration files for unauthorized access or modifications
- Temporarily restrict administrative access to trusted IP addresses until the upgrade is completed
Patch Information
The vulnerability has been resolved in AnythingLLM version 1.12.1. The fix introduces the isWithin validation function that ensures all file path resolutions remain within the designated agentFlows directory before any file operations are performed. The security patch is available via the official GitHub commit. Additional details about the vulnerability discovery are available in the Huntr bounty submission.
Workarounds
- If immediate upgrade is not possible, implement network-level access controls to restrict access to the AnythingLLM administrative interface
- Deploy a reverse proxy or WAF with rules to filter requests containing path traversal sequences targeting flow-related endpoints
- Temporarily disable the AgentFlows feature if it is not critical to operations until the upgrade can be performed
- Implement file system permissions to restrict the AnythingLLM process from accessing files outside its application directory
# Configuration example - Restrict access to AnythingLLM admin endpoints via nginx
location /api/v1/agent-flows/ {
# Allow only trusted internal networks
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Additional WAF-style filtering for path traversal
if ($request_uri ~* "\.\./") {
return 403;
}
proxy_pass http://localhost:3001;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
