CVE-2026-24478
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-27

Last updated on: 2026-01-28

Assigner: GitHub, Inc.

Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24478
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mintplexlabs anythingllm to 1.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24478 is a critical Path Traversal vulnerability in the DrupalWiki integration of the anything-llm application prior to version 1.10.0. It occurs because the application takes a fileName from an external API response without sanitizing it and concatenates it with a fixed directory path. This allows an attacker with admin privileges or who can trick an admin into configuring a malicious DrupalWiki URL to write arbitrary files anywhere on the server where the process has write permissions. This can lead to overwriting configuration files or writing executable scripts, potentially resulting in Remote Code Execution (RCE) or Denial of Service by corrupting critical files. [1]

Impact Analysis

This vulnerability can allow an attacker with admin privileges or the ability to trick an admin to write arbitrary files on the server, which can lead to Remote Code Execution (RCE). This means the attacker could run malicious code on your server by overwriting configuration files, executable scripts, cron jobs, or application code such as .env files. It can also cause Denial of Service by corrupting critical system files, impacting the confidentiality, integrity, and availability of your system. [1]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious files written via path traversal sequences, such as files created outside the intended directory (e.g., /tmp/pwn.txt). You can look for suspicious files created recently in directories where the application has write permissions. Additionally, monitoring network traffic for requests to the DrupalWiki integration that include unusual or crafted fileName parameters with path traversal patterns (e.g., ../../) can help detect exploitation attempts. Since the exploit involves configuring the DrupalWiki extension to point to a malicious server, reviewing configuration files for unexpected DrupalWiki URLs is also recommended. Specific commands might include: 1) Searching for suspicious files: `find / -name 'pwn.txt' 2>/dev/null` or `find /tmp -type f -mtime -7` to find recently modified files. 2) Checking application logs for unusual API responses or errors related to DrupalWiki. 3) Using network monitoring tools (e.g., tcpdump or Wireshark) to capture and analyze traffic to the DrupalWiki integration endpoint for suspicious payloads containing path traversal sequences. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the anything-llm package to version 1.10.0 or later, where the vulnerability has been patched. Additionally, restrict admin privileges to trusted users only to prevent malicious configuration of the DrupalWiki URL. Review and sanitize any DrupalWiki URLs configured in the system to ensure they do not point to untrusted or malicious servers. As a temporary measure, monitor and restrict write permissions of the application process to limit the impact of arbitrary file writes. Consider implementing network controls to block communication with untrusted DrupalWiki servers. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24478. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart