CVE-2026-45403: AnythingLLM Path Traversal via Symlink Abuse – Patch to 1.13.0
AnythingLLM versions before 1.13.0 contain a path traversal vulnerability in the agent filesystem copy tool. When copying files, the application only validates the top-level source and destination directories but fails to validate nested files or reject symbolic links. An attacker with high privileges could create or exploit a symlink nested within an allowed source directory to read files outside the intended filesystem boundaries and copy them to an allowed destination, potentially exposing sensitive data. The vulnerability requires high user privileges, complex conditions, and user interaction to exploit, making practical real-world abuse unlikely despite the core weakness.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 2.0 LOW · CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-59
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from incomplete path validation in AnythingLLM's recursive copy functionality. The agent filesystem copy tool validates only the top-level source and destination paths before initiating a copy operation. However, when the recursive copy helper processes child entries, it calls fs.stat() and fs.copyFile() without validating each nested path or rejecting symbolic links. Both Node.js filesystem APIs automatically follow symlinks, meaning a malicious symlink placed within an allowed source directory can point to arbitrary filesystem locations outside the root. When copied, the symlink target's contents become accessible as regular files in the allowed destination directory. This bypasses the intended filesystem isolation. The issue is resolved in version 1.13.0 by adding per-entry validation and symlink rejection during recursive traversal.
Business impact
For organizations using AnythingLLM in production, this vulnerability presents a limited but real risk to data confidentiality. An internal actor with administrative access could potentially exfiltrate sensitive files stored on the same system—such as configuration files, credentials, or private documents—by crafting malicious symlinks and triggering copy operations. The risk is primarily internal; remote attackers cannot exploit this without first gaining high-level system access. Organizations relying on AnythingLLM for handling proprietary or regulated data should prioritize upgrading to mitigate the risk of accidental or intentional insider abuse.
Affected systems
AnythingLLM prior to version 1.13.0 is affected. This includes all deployments of the application running earlier versions, whether self-hosted, containerized, or integrated into third-party systems. The Mintplex Labs project should be checked for the availability of version 1.13.0 or later patches across supported deployment methods (Docker, npm, cloud instances, or direct installation).
Exploitability
Exploitation is restricted by multiple factors. The attacker must possess high-level user privileges within AnythingLLM to access the agent filesystem copy tool, the application must be configured to allow filesystem operations, the attacker must be able to create or have pre-existing symlinks within the source directory structure, and user interaction is required to trigger the copy operation. These constraints significantly limit the attack surface. No known public exploits or automated weaponization exist (not on CISA KEV list). Exploitation is most realistic in scenarios involving disgruntled insiders or compromised high-privilege accounts already operating within a trusted network.
Remediation
Upgrade to AnythingLLM version 1.13.0 or later. Verify the upgrade through your deployment method (Docker image update, npm package update, or direct binary replacement depending on your installation). After upgrade, restart the service and verify core functionality. No configuration changes or data migration is required. For organizations unable to upgrade immediately, restrict access to the agent filesystem copy tool to trusted administrators only and monitor filesystem copy operations for suspicious activity.
Patch guidance
To patch your installation: (1) For Docker deployments, pull and redeploy the image tagged 1.13.0 or later from the Mintplex Labs registry. (2) For npm-based installations, run `npm install anythingllm@latest` or explicitly update to 1.13.0+. (3) For direct installations, download the 1.13.0 release binary from the official Mintplex Labs releases page. After any deployment method, restart the service and confirm it initializes without errors. Test the filesystem copy functionality with legitimate paths to ensure the fix does not break normal operations. Verify against the vendor advisory at the Mintplex Labs GitHub repository for any additional migration guidance.
Detection guidance
Monitor logs for recursive filesystem copy operations targeting unexpected paths or those exiting the intended source directory. Watch for fs.stat() or fs.copyFile() calls that reference symbolic links, especially within user-controlled or agent-managed directories. Endpoint detection and response (EDR) solutions should flag processes spawned by AnythingLLM that access files outside expected application directories. File integrity monitoring on sensitive configuration and credential files can detect unauthorized copying. Review access controls on the system running AnythingLLM to identify unnecessary high-privilege accounts that could exploit this vulnerability. Check for recently created symlinks within AnythingLLM's working directories that may indicate pre-positioning for attacks.
Why prioritize this
Although this vulnerability carries a low CVSS score (2.0) due to high privilege requirements, user interaction, and limited scope, it directly threatens data confidentiality for organizations handling sensitive information. Prioritize based on your deployment context: (1) High priority if AnythingLLM manages proprietary, regulated, or confidential data and multiple administrators have access. (2) Medium priority for standard deployments with restricted admin access and regular security monitoring. (3) Lower priority for isolated development or non-production instances. The fix is straightforward and incurs no operational risk, making patching cost-effective even for lower-risk environments.
Risk score, explained
The CVSS 3.1 score of 2.0 (LOW severity, vector CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N) reflects the combination of factors: network-accessible vector (AV:N) offset by high attack complexity due to symlink setup requirements (AC:H), high privilege level (PR:H) and required user interaction (UI:R). The impact is limited to confidentiality (C:L) with no integrity or availability impact. However, the score underweights the practical risk in environments where multiple privileged users have unsupervised access or where insider threats are a concern. Treat the score as a technical baseline rather than a complete business risk assessment.
Frequently asked questions
Can an unauthenticated remote attacker exploit this vulnerability?
No. Exploitation requires high-level user privileges within AnythingLLM, meaning the attacker must already be authenticated and authorized to use the agent filesystem copy tool. Remote unauthenticated attackers cannot exploit this vulnerability directly.
What types of files could be accessed through symlink traversal?
Any file readable by the AnythingLLM process user account could potentially be accessed and copied to an allowed destination. This typically includes configuration files, environment variables logged to disk, other application data on the same system, and in worst cases, system files if AnythingLLM runs with elevated privileges. The scope depends on the process's file system permissions.
Is this vulnerability being actively exploited in the wild?
There is no evidence of active exploitation in the wild. The vulnerability is not on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no documented public exploitation campaigns. However, the attack pattern is well-known to security researchers, so the risk exists once details become widely known.
Do I need to migrate data or reconfigure AnythingLLM after patching to 1.13.0?
No. Version 1.13.0 is a drop-in upgrade requiring only a restart of the service. No data migration, configuration changes, or API modifications are necessary. Existing installations should function normally after upgrade.
This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. The vulnerability details, CVSS score, affected versions, and patch availability are derived from the official CVE record and Mintplex Labs advisory. Organizations must verify patch compatibility with their specific deployment architecture and test in non-production environments before rolling out to production systems. SEC.co makes no warranty regarding the timeliness, accuracy, or completeness of patch availability across all deployment methods. Consult the Mintplex Labs GitHub repository and official security advisories for the authoritative source of truth on fixes and workarounds. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11322MEDIUMHermes WebUI Path Traversal Vulnerability – Credential Exposure Risk
- CVE-2026-40861MEDIUMApache Airflow Path Traversal – Log Directory Symlink and Directory Escape Vulnerability
- CVE-2026-41236HIGHFroxlor 2.3.6 Symlink Privilege Escalation to Root
- CVE-2026-49135HIGHCodexBar Insecure Temporary File Handling Allows Local Credential Theft
- CVE-2026-47713LOWAnythingLLM Pre-Migration Token Privilege Escalation & Data Exposure
- CVE-2026-48116HIGHAnythingLLM Command Injection via Ripgrep Abuse
- CVE-2024-42206LOWHCL iReflection Third-Party Component Vulnerability
- CVE-2025-48616LOWAndroid Lockdown Bypass via Screen Pinning Logic Error