AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-24477: AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

highvulnerability

securityprivacy

Source: NVD/CVE DatabaseJanuary 27, 2026CVE-2026-24477

Summary

AnythingLLM is an application that lets users feed documents into an LLM so it can reference them during conversations. Versions before 1.10.0 had a security flaw where an API key (QdrantApiKey) for Qdrant, the database that stores document information, could be exposed to anyone without authentication (credentials). If exposed, attackers could read or modify all the documents and knowledge stored in the database, breaking the system's ability to search and retrieve information correctly.

Solution / Mitigation

Update AnythingLLM to version 1.10.0 or later. According to the source: 'Version 1.10.0 patches the issue.'

Vulnerability Details

CVSS Score

7.5(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

Data ExtractionPII Leakage

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

Taxonomy References

CWE (Weakness Type)

CWE-201

Affected Vendors

LangChain

Related Issues

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendorNVD/CVE Database

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

First tracked: February 15, 2026 at 08:49 PM

Classified by LLM (prompt v3) · confidence: 95%