CVE•Published 2026-04-07•Modified 2026-04-24•1 article on news•6 live references•NVD data

CVE-2026-5627Mintplexlabs · Anythingllm

Vulnerability data via NVD (ingested)

CVSS v3.1

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-29Path Traversal: '\..\filename'

Description

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.

Timeline

Published 2026-04-07

Modified 2026-04-24

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-5627

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Mintplexlabs Anythingllm"

All exposed Mintplexlabs Anythingllm instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Anythingllm"

HTTP body or banner mentions "Anythingllm" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-5627