{"id":"CVE-2024-3283","details":"A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enabling them to access the '/api/system/enable-multi-user' endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.","modified":"2026-03-14T12:33:19.843948Z","published":"2024-04-10T17:15:56.600Z","references":[{"type":"FIX","url":"https://github.com/mintplex-labs/anything-llm/commit/52fac844221a9b951d08ceb93c4c014e9397b1f2"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/a8000cce-0ecb-4820-9cfb-57ba6f4d58a2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mintplex-labs/anything-llm","events":[{"introduced":"0"},{"fixed":"013c0b9575ae6a87af87275e326041c4e0afeeee"},{"fixed":"52fac844221a9b951d08ceb93c4c014e9397b1f2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.0.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3283.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}