CVE-2026-21484

CVSS v3.1

5.3

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions AnythingLLM (affected versions not specified)

Description AnythingLLM is an application designed to provide context for Large Language Models (LLMs). Prior to commit

e287fab56089cf8fcea9ba579a3ecdeca0daa313

, the password recovery functionality exposed different error messages based on the existence of a username, allowing for username enumeration. The

/password-recovery

API endpoint was vulnerable to this issue. This allowed an attacker to determine valid usernames by observing the response to requests with different

username

values.

Recommendations Update to a version after commit

e287fab56089cf8fcea9ba579a3ecdeca0daa313

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

CVE-2026-21484

GHSA-47VR-W3VM-69CH

Anything-Llm