id: CVE-2026-21484

info:
  name: AnythingLLM - Username Enumeration via Password Recovery
  author: DhiyaneshDk
  severity: medium
  description: |
    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
  impact: |
    Attackers can enumerate valid usernames, aiding further targeted attacks or social engineering.
  remediation: Update to the version including commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 or later.
  reference:
    - https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-21484
    epss-score: 0.00384
    epss-percentile: 0.59923
    cwe-id: CWE-203,CWE-204
  metadata:
    verified: true
    max-request: 2
    vendor: mintplex-labs
    product: anything-llm
    shodan-query: http.favicon.hash:-1279687529
  tags: cve,cve2026,anythingllm,user-enum

variables:
  rc1: "{{rand_text_alphanumeric(8)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(12)}}"
  rc2: "{{rand_text_alphanumeric(8)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(12)}}"
  rc3: "{{rand_text_alphanumeric(8)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(12)}}"
  rc4: "{{rand_text_alphanumeric(8)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(4)}}-{{rand_text_alphanumeric(12)}}"

http:
  - raw:
      - |
        POST /api/system/recover-account HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{randstr}}","recoveryCodes":["{{rc3}}","{{rc4}}"]}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 400'
          - 'contains_all(body, "Invalid recovery codes","success")'
        condition: and
# digest: 4a0a0047304502206f126226b18eb9c8b829a25f04b050f6b6e1deade11f8b278ac5f45e657678af0221008ade0985479d80691ee87e7c78566695057eec32f93bb758ee838ec58b3fe9bf:922c64590222798bb761d5b6d8e72950