CVE-2026-24478
BaseFortify
Publication date: 2026-01-27
Last updated on: 2026-01-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mintplexlabs | anythingllm | to 1.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24478 is a critical Path Traversal vulnerability in the DrupalWiki integration of the anything-llm application prior to version 1.10.0. It occurs because the application takes a fileName from an external API response without sanitizing it and concatenates it with a fixed directory path. This allows an attacker with admin privileges or who can trick an admin into configuring a malicious DrupalWiki URL to write arbitrary files anywhere on the server where the process has write permissions. This can lead to overwriting configuration files or writing executable scripts, potentially resulting in Remote Code Execution (RCE) or Denial of Service by corrupting critical files. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with admin privileges or the ability to trick an admin to write arbitrary files on the server, which can lead to Remote Code Execution (RCE). This means the attacker could run malicious code on your server by overwriting configuration files, executable scripts, cron jobs, or application code such as .env files. It can also cause Denial of Service by corrupting critical system files, impacting the confidentiality, integrity, and availability of your system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious files written via path traversal sequences, such as files created outside the intended directory (e.g., /tmp/pwn.txt). You can look for suspicious files created recently in directories where the application has write permissions. Additionally, monitoring network traffic for requests to the DrupalWiki integration that include unusual or crafted fileName parameters with path traversal patterns (e.g., ../../) can help detect exploitation attempts. Since the exploit involves configuring the DrupalWiki extension to point to a malicious server, reviewing configuration files for unexpected DrupalWiki URLs is also recommended. Specific commands might include: 1) Searching for suspicious files: `find / -name 'pwn.txt' 2>/dev/null` or `find /tmp -type f -mtime -7` to find recently modified files. 2) Checking application logs for unusual API responses or errors related to DrupalWiki. 3) Using network monitoring tools (e.g., tcpdump or Wireshark) to capture and analyze traffic to the DrupalWiki integration endpoint for suspicious payloads containing path traversal sequences. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the anything-llm package to version 1.10.0 or later, where the vulnerability has been patched. Additionally, restrict admin privileges to trusted users only to prevent malicious configuration of the DrupalWiki URL. Review and sanitize any DrupalWiki URLs configured in the system to ensure they do not point to untrusted or malicious servers. As a temporary measure, monitor and restrict write permissions of the application process to limit the impact of arbitrary file writes. Consider implementing network controls to block communication with untrusted DrupalWiki servers. [1]