Sensitive Information Exposure via /setup-complete API
The /setup-complete API in version 1.5.5 of AnythingLLM exposes sensitive information, including API keys. This vulnerability was patched in a subsequent release.
Available publicly on Jul 23 2024
Threat Overview
The /setup-complete API endpoint in AnythingLLM version 1.5.5 allows unauthorized users to access sensitive system settings, including various API keys. This exposure can lead to unauthorized access and potential misuse of the API keys, resulting in significant security risks such as data breaches and financial loss.
Attack Scenario
An attacker can exploit this vulnerability by accessing the /setup-complete endpoint without any authentication. By doing so, they can retrieve sensitive information such as API keys for Google Search Engine, Serper, and Bing Search. These keys can then be used to perform unauthorized actions or access restricted data.
Who is affected
Users running AnythingLLM version 1.5.5 are affected by this vulnerability. This includes any deployments where the /setup-complete endpoint is accessible without proper authentication.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.