CVE-2026-21484

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-21484
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21484.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-21484
Aliases
  • GHSA-47vr-w3vm-69ch
Published
2026-01-03T01:21:39.386Z
Modified
2026-03-13T03:56:11.182939Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
AnythingLLM Vulnerable to Username Enumeration w/ Password Recovery
Details

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21484.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-203",
        "CWE-204"
    ]
}
References

Affected packages

Git / github.com/mintplex-labs/anything-llm

Affected ranges

Type
GIT
Repo
https://github.com/mintplex-labs/anything-llm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ac8248e08d0a4606eb3c87bcdbab9fa99e73d7df
Fixed
e287fab56089cf8fcea9ba579a3ecdeca0daa313
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.10.0"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.3.0
v1.4.0
v1.7.4
v1.7.5
v1.7.6
v1.7.8
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.9.0
v1.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21484.json"