{"id":"CVE-2024-3101","details":"In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access.","modified":"2026-03-14T12:28:24.329178Z","published":"2024-04-10T17:15:56.417Z","references":[{"type":"FIX","url":"https://github.com/mintplex-labs/anything-llm/commit/52fac844221a9b951d08ceb93c4c014e9397b1f2"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/c114c03e-3348-450f-88f7-538502047bcc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mintplex-labs/anything-llm","events":[{"introduced":"0"},{"fixed":"013c0b9575ae6a87af87275e326041c4e0afeeee"},{"fixed":"52fac844221a9b951d08ceb93c4c014e9397b1f2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.0.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3101.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}