CVE-2026-5627

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm versions prior to 1.12.1

Description A path traversal issue exists within the AgentFlows component due to improper handling of user input in the loadFlow() and deleteFlow() functions located in 'server/utils/agentFlows/index.js'. The use of path.join and normalizePath allows attackers to bypass directory restrictions to access or delete arbitrary .json files on the server. This can result in information disclosure, such as leaking sensitive configuration files containing API keys, or a denial of service by deleting critical files like package.json.

Recommendations Update to version 1.12.1.