CVE-2026-24477

Name of the Vulnerable Software and Affected Versions AnythingLLM versions prior to 1.10.0

Description AnythingLLM is an application that converts content into context for use with Large Language Models (LLMs). If configured to use Qdrant as the vector database with an API key, versions prior to 1.10.0 expose the QdrantApiKey in plain text to unauthenticated users via the /api/setup-complete endpoint. Compromise of the QdrantApiKey grants an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM, potentially leading to the leakage of confidential uploaded documents.

Recommendations Update to version 1.10.0 or later.