Filesystem Path Validation Flaw in AnythingLLM Application
CVE-2026-45403

2LOW

Key Information:

Vendor
CVE Published:
28 May 2026

What is CVE-2026-45403?

The AnythingLLM application, designed for managing content references in LLMs, has a vulnerability in its filesystem copy tool. Before version 1.13.0, this tool inadequately validates the destination paths of copied files, allowing an attacker to exploit symlinks that descend from permitted directories. This means that malicious symlinks could trick the application into copying unauthorized files outside its intended directories, leading to potential exposure of sensitive data. This issue has been addressed in version 1.13.0, highlighting the importance of robust path validation in file handling operations.

Affected Version(s)

anything-llm < 1.13.0

References

CVSS V3.1

Score:
2
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.