2024-02-25 16:42:19
@huntr_ai
PUBLISHED
A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with default role to delete documents uploaded by admin. Despite the intended restriction that prevents default role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity.