Unrestricted access to AnythingLLM API
Description
AnythingLLM is a full-stack application that enables users to build private ChatGPT-like interfaces using commercial or open-source Large Language Models (LLMs) and vector database solutions for intelligent document interaction.
This vulnerability allows unauthorized access to the AnythingLLM API without requiring authentication credentials. The API endpoints are exposed and accessible to any network user, enabling unauthenticated parties to interact with the application's functionality and data stores.
Remediation
Implement authentication and authorization controls for all AnythingLLM API endpoints to prevent unauthorized access:
1. Enable the built-in authentication mechanism in AnythingLLM by configuring the AUTH_TOKEN environment variable or using the multi-user authentication mode
2. Configure API key-based authentication for programmatic access to the API endpoints
3. Implement network-level access controls such as firewall rules or IP whitelisting to restrict API access to trusted networks only
4. Review and update the application configuration file to ensure authentication is enforced for all API routes
5. If using the single-user mode, set a strong password and ensure the JWT_SECRET environment variable is configured with a cryptographically secure random value
6. Consider deploying the application behind a reverse proxy with additional authentication layers for enhanced security
Consult the AnythingLLM documentation for detailed configuration instructions specific to your deployment method.