CVE-2026-24477
HIGHCVSS v3
7.5
HIGH
EPSS Score
11.2%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 1/26/2026
- Last Modified
- 1/28/2026
Frequently Asked Questions
What is CVE-2026-24477?
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant
Is CVE-2026-24477 actively exploited?
Active exploitation of CVE-2026-24477 has not been confirmed. The EPSS score is 11.2%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-24477?
CVE-2026-24477 has a CVSS v3 base score of 7.5 (HIGH severity), with vector string 3.1.
Is CVE-2026-24477 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.