CVE-2025-63390

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

18/12/2025

Last modified:

18/12/2025

Description

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

Impact

References to Advisories, Solutions, and Tools

https://gist.github.com/Cristliu/ba529c99abec87102e5ef36435d02a6d
https://github.com/Mintplex-Labs/anything-llm/issues