Vulnerability in mintplex-labs anything-llm Allows for Easy Creation of New Administrator Accounts
CVE-2024-4287
7.2HIGH
What is CVE-2024-4287?
An issue has been identified in Mintplex Labs' Anything-LLM where improper input validation during the workspace update process allows for manipulation of JSON data. This vulnerability occurs during an HTTP POST request to the endpoint /api/workspace/:workspace-slug/update
, where the system fails to properly validate or format the incoming JSON. As a result, users with managerial privileges can execute crafted requests that perform nested write operations, enabling them to create unauthorized Administrator accounts without proper authentication or authorization checks.