ATR-2026-01974criticalPrivilege Escalationdraft
AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)
CVE-2024-3279: improper access control on the mintplex-labs/anything-llm POST /system/data-import endpoint (<1.0.0). An anonymous, unauthenticated attacker uploads their own database file via multipart formData, deleting or spoofing the existing anythingllm.db SQLite database to serve malicious data or harvest user info. This rule keys on the data-import endpoint path combined with the database-file import sink (anythingllm.db / data-import upload).
Severity
critical
Category
Privilege Escalation
Scan Target
both
Author
ATR Community
Response Actions
alertblock input
References
OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application
Detection Conditions
Combinator: any- 01POST upload to the unauthenticated /system/data-import endpoint with a multipart DB filefield: contentop: regex
- 02Import/upload of the anythingllm.db database file via the data-import sinkfield: contentop: regex
- 03explicit CVE framingfield: contentop: regex
Attack Examples (Rule Triggers)
curl -X POST http://target:3001/api/system/data-import -F '[email protected]' to overwrite anythingllm.db with no auth header
fetch(`${API_BASE}/system/data-import`, { method: 'POST', body: formData }) // uploads attacker anythingllm.db, no authExploit for CVE-2024-3279: unauthenticated attacker imports their own anythingllm.db via /system/data-import to spoof the database
Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.
Benign Examples (Rule Doesn't Trigger)
- Mentions anythingllm.db for backup but no data-import upload/POST sink
Our admin docs explain how to back up anythingllm.db from the server/storage directory before upgrading.
- Describes the removed feature generically without the endpoint path or DB upload
The settings page used to have an Export or Import button; that feature was removed in v1.0.0 for security.
- A different multipart upload endpoint, not /system/data-import and not the DB file
POST /api/workspace/upload with formData to add a multipart PDF document to a workspace for embedding.
Known False Positive Contexts
- ▸Documentation or release notes describing the removed Export/Import feature without an actual unauthenticated upload request to /system/data-import
- ▸Legitimate authenticated admin using a backup/restore tool that references anythingllm.db by path but does not POST it to the /system/data-import endpoint
Full YAML Definition
Edit on GitHub →title: "AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)"
id: ATR-2026-01974
rule_version: 1
status: draft
description: >
CVE-2024-3279: improper access control on the mintplex-labs/anything-llm
POST /system/data-import endpoint (<1.0.0). An anonymous, unauthenticated
attacker uploads their own database file via multipart formData, deleting or
spoofing the existing anythingllm.db SQLite database to serve malicious data
or harvest user info. This rule keys on the data-import endpoint path combined
with the database-file import sink (anythingllm.db / data-import upload).
author: "ATR Community"
date: "2026/06/29"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
owasp_llm: ["LLM06:2025 - Excessive Agency"]
owasp_agentic: ["ASI06:2026 - Tool Misuse"]
mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
mitre_attack: ["T1190 - Exploit Public-Facing Application"]
cve: ["CVE-2024-3279"]
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: secondary
nist_ai_rmf:
- subcategory: "MP.5.1"
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: primary
- subcategory: "MG.3.2"
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: secondary
tags: { category: privilege-escalation, subcategory: improper-access-control, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anything-llm-cve-2024-3279 }
agent_source: { type: llm_io, framework: [any], provider: [any] }
detection:
condition: any
false_positives:
- "Documentation or release notes describing the removed Export/Import feature without an actual unauthenticated upload request to /system/data-import"
- "Legitimate authenticated admin using a backup/restore tool that references anythingllm.db by path but does not POST it to the /system/data-import endpoint"
conditions:
- field: content
operator: regex
value: '(?i)/system/data-import\b[\s\S]{0,300}(?:multipart/form-data|form-?data|multer|\.db\b|anythingllm\.db|method\s*[:=]\s*["'']?post)'
description: "POST upload to the unauthenticated /system/data-import endpoint with a multipart DB file"
- field: content
operator: regex
value: '(?i)anythingllm\.db[\s\S]{0,200}(?:/system/data-import|data-import|formData|multipart|import)'
description: "Import/upload of the anythingllm.db database file via the data-import sink"
- field: content
operator: regex
value: '(?i)CVE-2024-3279[\s\S]{0,200}(?:data-import|anythingllm|access control|unauthenticated)'
description: "explicit CVE framing"
response:
actions: [alert, block_input]
message_template: >
[ATR-2026-01974] CRITICAL: Unauthenticated AnythingLLM /system/data-import upload can overwrite/spoof anythingllm.db (CVE-2024-3279). Block and patch to >=1.0.0.
confidence: 80
wild_fp_rate: 0
test_cases:
true_positives:
- input: "curl -X POST http://target:3001/api/system/data-import -F '[email protected]' to overwrite anythingllm.db with no auth header"
expected: triggered
description: "Anonymous multipart POST to /system/data-import uploading a malicious database file"
- input: "fetch(`${API_BASE}/system/data-import`, { method: 'POST', body: formData }) // uploads attacker anythingllm.db, no auth"
expected: triggered
description: "Frontend-style unauthenticated data-import upload of the DB file"
- input: "Exploit for CVE-2024-3279: unauthenticated attacker imports their own anythingllm.db via /system/data-import to spoof the database"
expected: triggered
description: "Explicit CVE reference with the data-import access control bypass"
true_negatives:
- input: "Our admin docs explain how to back up anythingllm.db from the server/storage directory before upgrading."
expected: not_triggered
description: "Mentions anythingllm.db for backup but no data-import upload/POST sink"
- input: "The settings page used to have an Export or Import button; that feature was removed in v1.0.0 for security."
expected: not_triggered
description: "Describes the removed feature generically without the endpoint path or DB upload"
- input: "POST /api/workspace/upload with formData to add a multipart PDF document to a workspace for embedding."
expected: not_triggered
description: "A different multipart upload endpoint, not /system/data-import and not the DB file"
More Privilege Escalation Rules
ATR-2026-00040criticalPrivilege Escalation and Admin Function AccessATR-2026-00041mediumAgent Scope Creep DetectionATR-2026-00107highPrivilege Escalation via Delayed Task Execution BypassATR-2026-00110criticalRemote Code Execution via eval() and Dynamic Code InjectionATR-2026-00111criticalShell Metacharacter Injection in Tool Arguments