Path Traversal Vulnerability in Mintplex Labs Anything LLM Product
CVE-2026-5627

9.1CRITICAL

Key Information:

Vendor: Mintplex-labs
Status: Mintplex-labs/anything-llm
Vendor: CVE Published:; 7 April 2026

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2026-5627?

A path traversal vulnerability in Mintplex Labs' Anything LLM product enables attackers to manipulate user input, bypassing directory restrictions. This flaw is present in the loadFlow and deleteFlow methods of server/utils/agentFlows/index.js. By exploiting the combination of path.join and normalizePath, unauthorized access to sensitive .json files on the server can occur. Potential risks include the exposure of critical configuration information and denial of service by deleting essential files, such as package.json. The issue has been mitigated in version 1.12.1.

Affected Version(s)

mintplex-labs/anything-llm < 1.12.1

References

https://huntr.com/bounties/597d41c5-7ea0-4786-80f4-bd536e...

https://github.com/mintplex-labs/anything-llm/commit/3444...

CVSS V3.0

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 5, 2026

CVE-2026-5627 Data

JSON