AI Threat Alert

CVE-2025-63390: anythingllm: Missing Auth allows unauthenticated access

MEDIUM
Published December 18, 2025
CISO Take

If your organization runs AnythingLLM v1.8.5, assume your system prompts and full AI workspace configurations are publicly readable — no credentials required. This is a recon goldmine: attackers enumerate your prompts, model choices, and agent configurations before launching targeted prompt injection or social engineering attacks. Patch immediately or block unauthenticated access to /api/workspaces at the network/reverse-proxy layer.

What is the risk?

Effective risk is higher than CVSS 5.3 suggests. While confidentiality impact is scored 'low', system prompts routinely contain sensitive business logic, security guardrails, proprietary instructions, and occasionally embedded credentials or API references. The combination of network-accessible, zero-auth, zero-complexity exploitation targeting an LLM platform makes this a high-value recon vector. Organizations exposed to the internet are at immediate risk; internal-only deployments face insider/lateral-movement risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
anythingllm No patch

Do you use anythingllm? You're affected.

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 38% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I None
A None

What should I do?

6 steps

  1. PATCH

    Upgrade AnythingLLM to the latest version — check https://github.com/Mintplex-Labs/anything-llm/releases for a fix addressing CWE-306 on /api/workspaces.

  2. IMMEDIATE WORKAROUND

    Block unauthenticated access to /api/workspaces at reverse proxy/WAF/firewall level — require valid session tokens before routing to this endpoint.

  3. AUDIT

    Review all system prompts (openAiPrompt fields) for embedded credentials, internal URLs, sensitive instructions, or security bypass information that should now be considered compromised.

  4. ROTATE

    If system prompts reference API keys, internal hostnames, or credentials, rotate them now.

  5. DETECT

    Query logs for unauthenticated GET requests to /api/workspaces — any hits from external IPs indicate active exploitation.

  6. HARDEN

    Apply network segmentation — AnythingLLM should not be internet-accessible unless explicitly required.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation API Framework Agent AML.T0006 AML.T0014 AML.T0049 AML.T0056 AML.T0069 AML.T0069.002 AML.T0084

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.6 - Access control to AI systems A.8.4 - Protection of AI system information
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI risk MANAGE 2.4 - Risk Treatment and Residual Risk Management PROTECT-2.1 - AI system configuration and sensitive data protection
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2025-63390?

If your organization runs AnythingLLM v1.8.5, assume your system prompts and full AI workspace configurations are publicly readable — no credentials required. This is a recon goldmine: attackers enumerate your prompts, model choices, and agent configurations before launching targeted prompt injection or social engineering attacks. Patch immediately or block unauthenticated access to /api/workspaces at the network/reverse-proxy layer.

Is CVE-2025-63390 actively exploited?

No confirmed active exploitation of CVE-2025-63390 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-63390?

1. PATCH: Upgrade AnythingLLM to the latest version — check https://github.com/Mintplex-Labs/anything-llm/releases for a fix addressing CWE-306 on /api/workspaces. 2. IMMEDIATE WORKAROUND: Block unauthenticated access to /api/workspaces at reverse proxy/WAF/firewall level — require valid session tokens before routing to this endpoint. 3. AUDIT: Review all system prompts (openAiPrompt fields) for embedded credentials, internal URLs, sensitive instructions, or security bypass information that should now be considered compromised. 4. ROTATE: If system prompts reference API keys, internal hostnames, or credentials, rotate them now. 5. DETECT: Query logs for unauthenticated GET requests to /api/workspaces — any hits from external IPs indicate active exploitation. 6. HARDEN: Apply network segmentation — AnythingLLM should not be internet-accessible unless explicitly required.

What systems are affected by CVE-2025-63390?

This vulnerability affects the following AI/ML architecture patterns: LLM application platforms, RAG pipelines, Agent frameworks, API-exposed LLM services, Internal AI assistants.

What is the CVSS score for CVE-2025-63390?

CVE-2025-63390 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.49%.

What is the AI security impact?

Affected AI Architectures

LLM application platformsRAG pipelinesAgent frameworksAPI-exposed LLM servicesInternal AI assistants

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0014 Discover AI Model Family
AML.T0049 Exploit Public-Facing Application
AML.T0056 Extract LLM System Prompt
AML.T0069 Discover LLM System Information
AML.T0069.002 System Prompt
AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15, Article 15, Article 9
ISO 42001: A.6.2.6, A.8.4
NIST AI RMF: GOVERN-6.1, MANAGE 2.4, PROTECT-2.1
OWASP LLM Top 10: LLM02:2025, LLM07:2025

What are the technical details?

Original Advisory

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

Exploitation Scenario

An attacker discovers an AnythingLLM instance via Shodan/Censys or targeted reconnaissance. They send a single unauthenticated HTTP GET to /api/workspaces and receive a JSON response listing every configured workspace with full metadata: the names and slugs reveal business context, chatProvider/chatModel reveal the exact LLM in use, and openAiPrompt exposes the system prompt verbatim — including security restrictions and persona instructions. The attacker uses the system prompt content to craft precise prompt injection payloads that bypass stated restrictions, knowing exactly what guardrails to circumvent. They also identify agentProvider settings to understand what tools the agent can invoke, planning further exploitation via agent tool abuse.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
December 18, 2025
Last Modified
January 22, 2026
First Seen
December 18, 2025

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed