CVE-2025-63390

Published: Dec 18, 2025

Modified: Jan 22, 2026

PUBLISHED

Description

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/Mintplex-Labs/anything-llm/issues

https://gist.github.com/Cristliu/ba529c99abec87102e5ef36435d02a6d

https://gist.github.com/Cristliu/0897bceac5fdc2d945304b5087a84f14

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-63390

Description

Affected Products

References