Filesystem Path Validation Flaw in AnythingLLM Application
CVE-2026-45403
2LOW
What is CVE-2026-45403?
The AnythingLLM application, designed for managing content references in LLMs, has a vulnerability in its filesystem copy tool. Before version 1.13.0, this tool inadequately validates the destination paths of copied files, allowing an attacker to exploit symlinks that descend from permitted directories. This means that malicious symlinks could trick the application into copying unauthorized files outside its intended directories, leading to potential exposure of sensitive data. This issue has been addressed in version 1.13.0, highlighting the importance of robust path validation in file handling operations.
Affected Version(s)
anything-llm < 1.13.0
