theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-5627

Published April 7, 2026 · Updated April 7, 2026

9.1CVSS
critical

What This Means

CVE-2026-5627 is a critical path traversal vulnerability affecting mintplex-labs/anything-llm versions up to 1.9.1 within the `AgentFlows` component. Attackers can exploit this vulnerability to access or delete arbitrary `.json` files on the server, potentially leading to information disclosure of sensitive data or denial of service by affecting critical files like `package.json`. Upgrade to version 1.12.1 or later to mitigate this vulnerability.

Official Description+

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. Monitor vendor advisories for updates and additional mitigations.
  4. Review logs for indicators of compromise related to CVE-2026-5627.