{"id":"CVE-2024-6842","details":"In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.","modified":"2026-03-14T12:40:46.009437Z","published":"2025-03-20T10:15:33.993Z","references":[{"type":"FIX","url":"https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bc6849d84e4ea8"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/cd911fc7-ac6b-4974-acd0-9cc926fa8d9e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mintplex-labs/anything-llm","events":[{"introduced":"0"},{"fixed":"8b1ceb30c159cf3a10efa16275bc6849d84e4ea8"}]}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.5.5"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6842.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}