CVE-2024-3283 in anything-llm
Summary
by MITRE • 04/10/2024
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enabling them to access the '/api/system/enable-multi-user' endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2025
This vulnerability resides within the mintplex-labs/anything-llm application where a mass assignment flaw enables manager users to escalate their privileges to administrative level. The core issue manifests through the '/admin/system-preferences' API endpoint which fails to properly validate user permissions when processing incoming JSON payloads. When manager-level users submit requests containing system variable modifications, the endpoint accepts the entire JSON object without filtering for fields that should remain restricted to administrators, creating a direct pathway for privilege escalation.
The technical flaw directly violates the principle of least privilege and demonstrates a classic mass assignment vulnerability pattern that aligns with CWE-915. The vulnerability specifically affects the 'multi_user_mode' system variable which serves as a critical access control mechanism within the application's multi-user architecture. When manager users can manipulate this variable through the improperly authorized endpoint, they effectively gain the ability to enable multi-user mode and subsequently create new administrator accounts through the '/api/system/enable-multi-user' endpoint. This represents a fundamental breakdown in the application's access control model where user roles are not properly enforced during system configuration modifications.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise. An attacker with manager credentials can establish persistent administrative access by creating new admin accounts, potentially leading to data exfiltration, system modification, or complete service disruption. The vulnerability affects the application's core security architecture by undermining the role-based access control (RBAC) implementation that should prevent manager users from performing administrative functions. This flaw creates a persistent backdoor that remains active until the underlying code is patched, making it particularly dangerous in multi-user environments where manager accounts may be more frequently accessed or potentially compromised.
Mitigation strategies should focus on implementing proper input validation and field-level authorization checks at the API endpoint level. The system must validate that each field in the incoming JSON payload corresponds to the user's actual authorization level before applying any modifications. This approach aligns with the ATT&CK technique T1078.004 for valid accounts and T1548.005 for abuse of cloud platforms, as it addresses unauthorized privilege escalation through proper access control enforcement. Organizations should also implement comprehensive logging of system preference changes to detect unauthorized modifications and establish automated monitoring for suspicious administrative activities. The fix requires modifying the API endpoint to maintain a whitelist of fields that each user role can modify, ensuring that sensitive system variables like 'multi_user_mode' remain restricted to users with appropriate administrative privileges.