CVE-2025-63390

Name of the Vulnerable Software and Affected Versions AnythingLLM version 1.8.5

Description An authentication bypass allows unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. The issue is due to missing authentication checks in the /api/workspaces endpoint. Exposed data includes workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

Recommendations Apply authentication checks to the /api/workspaces endpoint to prevent unauthorized access to workspace configuration details.