CVE-2025-63390

Description

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

PUBLISHED Reserved 2025-10-27 | Published 2025-12-18 | Updated 2025-12-19 | Assigner mitre

References

github.com/Mintplex-Labs/anything-llm/issues

gist.github.com/Cristliu/ba529c99abec87102e5ef36435d02a6d

cve.org (CVE-2025-63390)

nvd.nist.gov (CVE-2025-63390)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.