CVE-2026-21484

CVE-2026-21484 is a medium-severity vulnerability in Mintplexlabs Anythingllm with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-203.

Key facts

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.

Frequently asked questions

What is CVE-2026-21484?
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
How severe is CVE-2026-21484?
CVE-2026-21484 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-21484 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (49th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-21484?
CVE-2026-21484 affects Mintplexlabs Anythingllm. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-21484?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-21484 have an EU (EUVD) identifier?
Yes. CVE-2026-21484 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-0774.
When was CVE-2026-21484 published?
CVE-2026-21484 was published on 2026-01-03 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Mintplexlabs Anythingllm

All CVEs affecting Mintplexlabs Anythingllm →

Other CWE-203 (Observable Discrepancy) vulnerabilities

Browse all CWE-203 (Observable Discrepancy) vulnerabilities →