{"data":{"id":"5d8a2d64-b7f9-43a5-9877-96e2e7e14607","title":"CVE-2025-63390: An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fa","summary":"AnythingLLM v1.8.5 has a vulnerability in its /api/workspaces endpoint (a web address used to access workspace data) that skips authentication checks, allowing attackers without permission to see detailed information about all workspaces, including AI model settings, system prompts (instructions given to the AI), and other configuration details. This means someone could potentially discover sensitive workspace configurations without needing to log in.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-63390","publishedAt":"2025-12-18T16:15:54.867Z","cveId":"CVE-2025-63390","cweIds":["CWE-306"],"cvssScore":"5.3","cvssSeverity":"medium","severity":"medium","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["AnythingLLM"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00036,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-115"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}