High

anything-llm

Privilege Escalation via Thread Update

A vulnerability in mintplex-labs/anything-llm allows users with Default or Manager roles to escalate their privileges to Administrator by exploiting a bug in the thread update process. This issue affects the latest version of the software and was patched in version 1.0.0.

Available publicly on May 16 2024

8.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Credit:

noizybit
Threat Overview

The vulnerability stems from improper input validation in the thread update endpoint (/workspace/:slug/thread/:threadSlug/update). Specifically, the application fails to validate user input when updating a thread name, allowing an attacker to inject a Prisma relation query to modify the users model. This flaw enables users with lower privileges to escalate their roles to Administrator by crafting a malicious POST request.

Attack Scenario

An attacker with Default or Manager privileges logs into the application, creates a new thread, and then sends a specially crafted POST request to the thread update endpoint. This request includes a payload designed to exploit the lack of input validation, altering the attacker's role to Administrator. Upon re-authentication, the attacker gains full administrative access.

Who is affected

Users of mintplex-labs/anything-llm prior to version 1.0.0 are affected. Specifically, this vulnerability impacts systems where users with Default or Manager roles can exploit the flaw to gain Administrator privileges, potentially compromising the entire application.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.