CVE-2026-5627
Published:April 07, 2026
Updated:April 20, 2026
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the "AgentFlows" component. The vulnerability arises from improper handling of user input in the "loadFlow" and "deleteFlow" methods in "server/utils/agentFlows/index.js". Specifically, the combination of "path.join" and "normalizePath" allows attackers to bypass directory restrictions and access or delete arbitrary ".json" files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like "package.json". The issue is resolved in version 1.12.1.
Affected Packages
https://github.com/mintplex-labs/anything-llm.git (GITHUB):
Affected version(s) >=v1.0.0 <1.12.1Fix Suggestion:
Update to version 1.12.1Related ResourcesĀ (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Path Traversal: '..filename'
EPSS
Base Score:
0.04
