In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to `/api/workspace/:workspace-slug/update`, allowing it to be executed as part of a database query without restrictions. This flaw enables users with a manager role to craft a request that includes nested write operations, effectively allowing them to create new Administrator accounts.
History

Thu, 10 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs
Mintplexlabs anythingllm
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
Vendors & Products Mintplexlabs
Mintplexlabs anythingllm
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-05-20T12:24:51.682Z

Updated: 2024-08-01T20:33:53.198Z

Reserved: 2024-04-26T23:58:39.827Z

Link: CVE-2024-4287

cve-icon Vulnrichment

Updated: 2024-08-01T20:33:53.198Z

cve-icon NVD

Status : Analyzed

Published: 2024-05-20T13:15:23.980

Modified: 2025-07-10T17:19:03.897

Link: CVE-2024-4287

cve-icon Redhat

No data.