CVE-2026-5627

Source
https://cve.org/CVERecord?id=CVE-2026-5627
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5627.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-5627
Published
2026-04-07T13:06:38.503Z
Modified
2026-07-15T01:48:52.220945979Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Path Traversal in mintplex-labs/anything-llm
Details

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the combination of path.join and normalizePath allows attackers to bypass directory restrictions and access or delete arbitrary .json files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like package.json. The issue is resolved in version 1.12.1.

Database specific
{
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-29"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5627.json"
}
References

Affected packages

Git / github.com/mintplex-labs/anything-llm

Affected ranges

Type
GIT
Repo
https://github.com/mintplex-labs/anything-llm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9.1"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.1.1
v1.10.0
v1.11.0
v1.11.1
v1.11.2
v1.12.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.4.0
v1.7.4
v1.7.5
v1.7.6
v1.7.8
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.9.0
v1.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5627.json"