Skip to content
ATR-2026-01974criticalPrivilege Escalationdraft

AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)

CVE-2024-3279: improper access control on the mintplex-labs/anything-llm POST /system/data-import endpoint (<1.0.0). An anonymous, unauthenticated attacker uploads their own database file via multipart formData, deleting or spoofing the existing anythingllm.db SQLite database to serve malicious data or harvest user info. This rule keys on the data-import endpoint path combined with the database-file import sink (anythingllm.db / data-import upload).

Severity
critical
Category
Privilege Escalation
Scan Target
both
Author
ATR Community

Response Actions

alertblock input

References

OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application

Detection Conditions

Combinator: any
  1. 01
    POST upload to the unauthenticated /system/data-import endpoint with a multipart DB file
    field: contentop: regex
  2. 02
    Import/upload of the anythingllm.db database file via the data-import sink
    field: contentop: regex
  3. 03
    explicit CVE framing
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. curl -X POST http://target:3001/api/system/data-import -F '[email protected]' to overwrite anythingllm.db with no auth header
  2. fetch(`${API_BASE}/system/data-import`, { method: 'POST', body: formData }) // uploads attacker anythingllm.db, no auth
  3. Exploit for CVE-2024-3279: unauthenticated attacker imports their own anythingllm.db via /system/data-import to spoof the database

Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.

Benign Examples (Rule Doesn't Trigger)

  1. Mentions anythingllm.db for backup but no data-import upload/POST sink
    Our admin docs explain how to back up anythingllm.db from the server/storage directory before upgrading.
  2. Describes the removed feature generically without the endpoint path or DB upload
    The settings page used to have an Export or Import button; that feature was removed in v1.0.0 for security.
  3. A different multipart upload endpoint, not /system/data-import and not the DB file
    POST /api/workspace/upload with formData to add a multipart PDF document to a workspace for embedding.

Known False Positive Contexts

  • Documentation or release notes describing the removed Export/Import feature without an actual unauthenticated upload request to /system/data-import
  • Legitimate authenticated admin using a backup/restore tool that references anythingllm.db by path but does not POST it to the /system/data-import endpoint

Full YAML Definition

Edit on GitHub →
title: "AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)"
id: ATR-2026-01974
rule_version: 1
status: draft
description: >
  CVE-2024-3279: improper access control on the mintplex-labs/anything-llm
  POST /system/data-import endpoint (<1.0.0). An anonymous, unauthenticated
  attacker uploads their own database file via multipart formData, deleting or
  spoofing the existing anythingllm.db SQLite database to serve malicious data
  or harvest user info. This rule keys on the data-import endpoint path combined
  with the database-file import sink (anythingllm.db / data-import upload).
author: "ATR Community"
date: "2026/06/29"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
  owasp_llm: ["LLM06:2025 - Excessive Agency"]
  owasp_agentic: ["ASI06:2026 - Tool Misuse"]
  mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
  mitre_attack: ["T1190 - Exploit Public-Facing Application"]
  cve: ["CVE-2024-3279"]
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
      strength: primary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
      strength: secondary
tags: { category: privilege-escalation, subcategory: improper-access-control, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anything-llm-cve-2024-3279 }
agent_source: { type: llm_io, framework: [any], provider: [any] }
detection:
  condition: any
  false_positives:
    - "Documentation or release notes describing the removed Export/Import feature without an actual unauthenticated upload request to /system/data-import"
    - "Legitimate authenticated admin using a backup/restore tool that references anythingllm.db by path but does not POST it to the /system/data-import endpoint"
  conditions:
    - field: content
      operator: regex
      value: '(?i)/system/data-import\b[\s\S]{0,300}(?:multipart/form-data|form-?data|multer|\.db\b|anythingllm\.db|method\s*[:=]\s*["'']?post)'
      description: "POST upload to the unauthenticated /system/data-import endpoint with a multipart DB file"
    - field: content
      operator: regex
      value: '(?i)anythingllm\.db[\s\S]{0,200}(?:/system/data-import|data-import|formData|multipart|import)'
      description: "Import/upload of the anythingllm.db database file via the data-import sink"
    - field: content
      operator: regex
      value: '(?i)CVE-2024-3279[\s\S]{0,200}(?:data-import|anythingllm|access control|unauthenticated)'
      description: "explicit CVE framing"
response:
  actions: [alert, block_input]
  message_template: >
    [ATR-2026-01974] CRITICAL: Unauthenticated AnythingLLM /system/data-import upload can overwrite/spoof anythingllm.db (CVE-2024-3279). Block and patch to >=1.0.0.
confidence: 80
wild_fp_rate: 0
test_cases:
  true_positives:
    - input: "curl -X POST http://target:3001/api/system/data-import -F '[email protected]' to overwrite anythingllm.db with no auth header"
      expected: triggered
      description: "Anonymous multipart POST to /system/data-import uploading a malicious database file"
    - input: "fetch(`${API_BASE}/system/data-import`, { method: 'POST', body: formData }) // uploads attacker anythingllm.db, no auth"
      expected: triggered
      description: "Frontend-style unauthenticated data-import upload of the DB file"
    - input: "Exploit for CVE-2024-3279: unauthenticated attacker imports their own anythingllm.db via /system/data-import to spoof the database"
      expected: triggered
      description: "Explicit CVE reference with the data-import access control bypass"
  true_negatives:
    - input: "Our admin docs explain how to back up anythingllm.db from the server/storage directory before upgrading."
      expected: not_triggered
      description: "Mentions anythingllm.db for backup but no data-import upload/POST sink"
    - input: "The settings page used to have an Export or Import button; that feature was removed in v1.0.0 for security."
      expected: not_triggered
      description: "Describes the removed feature generically without the endpoint path or DB upload"
    - input: "POST /api/workspace/upload with formData to add a multipart PDF document to a workspace for embedding."
      expected: not_triggered
      description: "A different multipart upload endpoint, not /system/data-import and not the DB file"

Revision History

Created
2026-06-29
Last modified
2026-07-02
View full commit history on GitHub →