CVE-2026-21484

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions AnythingLLM (affected versions not specified)

Description AnythingLLM is an application designed to provide context for Large Language Models (LLMs). Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery functionality exposed different error messages based on the existence of a username, allowing for username enumeration. The /password-recovery API endpoint was vulnerable to this issue. This allowed an attacker to determine valid usernames by observing the response to requests with different username values.

Recommendations Update to a version after commit e287fab56089cf8fcea9ba579a3ecdeca0daa313.

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-204CWE-203

Related Identifiers

CVE-2026-21484

GHSA-47VR-W3VM-69CH

Affected Products

Anything-Llm

CVE-2026-21484

Weakness Enumeration

Related Identifiers

Affected Products

References · 10