CVE-2026-45403 Mintplex-Labs CVE debrief

Who should care

Organizations running AnythingLLM versions prior to 1.13.0 with agent filesystem capabilities enabled, particularly those allowing user-controlled content in source directories processed by agents.

Technical summary

The vulnerability stems from incomplete path validation in AnythingLLM's agent filesystem copy functionality. While top-level paths are validated, the recursive copy implementation uses Node.js fs.stat() and fs.copyFile() APIs that follow symlinks without additional checks. An attacker with control over file contents in an allowed source directory could place a symlink pointing to sensitive files outside the allowed root. When the agent copies from this directory, the symlink is followed, and the target file's contents are copied as a regular file into the destination. This requires high privileges (PR:H), high attack complexity (AC:H), and user interaction (UI:R), limiting practical exploitability. The fix in commit 21ce03087145a4261c1de03b056fba639f699c09 addresses the validation gap.

Defensive priority

low

Recommended defensive actions

• Upgrade AnythingLLM to version 1.13.0 or later to remediate this vulnerability.
• Review agent filesystem access controls and ensure symlink traversal is restricted in custom deployments.
• Audit file copy operations in agent workflows to confirm they operate within intended directory boundaries.

Evidence notes

The CVE description and NVD source confirm the vulnerability exists in AnythingLLM versions prior to 1.13.0, with a fix commit available. The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N) supports the LOW severity rating. CWE-59 (Improper Link Resolution Before File Access) is identified as the weakness.

Official resources