Path Traversal in mintplex-labs/anything-llm

Description

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.

Affected Products

Vendor	Product	Versions
mintplex-labs	mintplex-labs/anything-llm	unspecified, 1.12.0

References

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-5627 | mintplex-labs anything-llm up to 1.12.0 AgentFlows index.js loadFlow/deleteFlow path traversal

→ No new info (linked only)

CVSS 3.19.1 HIGH

VectorCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.12.1

CWECWE-29

PublishedApr 7, 2026

Last enriched4h agov2

Trending Score32

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include 1.12.0, changed severity to HIGH, and noted that there is no available exploit.

affectedVersionsseverity

via VulDB

v14h ago

Initial creation