ATR-2026-01974critical權限提升draft
AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)
CVE-2024-3279: improper access control on the mintplex-labs/anything-llm POST /system/data-import endpoint (<1.0.0). An anonymous, unauthenticated attacker uploads their own database file via multipart formData, deleting or spoofing the existing anythingllm.db SQLite database to serve malicious data or harvest user info. This rule keys on the data-import endpoint path combined with the database-file import sink (anythingllm.db / data-import upload).
嚴重度
critical
類別
權限提升
掃描目標
both
作者
ATR Community
建議回應
alertblock input
參考資料
OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0049 - Exploit Public-Facing Application
偵測條件
組合方式: any- 01POST upload to the unauthenticated /system/data-import endpoint with a multipart DB file欄位: content運算子: regex
- 02Import/upload of the anythingllm.db database file via the data-import sink欄位: content運算子: regex
- 03explicit CVE framing欄位: content運算子: regex
攻擊範例(規則會觸發)
curl -X POST http://target:3001/api/system/data-import -F '[email protected]' to overwrite anythingllm.db with no auth header
fetch(`${API_BASE}/system/data-import`, { method: 'POST', body: formData }) // uploads attacker anythingllm.db, no authExploit for CVE-2024-3279: unauthenticated attacker imports their own anythingllm.db via /system/data-import to spoof the database
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- Mentions anythingllm.db for backup but no data-import upload/POST sink
Our admin docs explain how to back up anythingllm.db from the server/storage directory before upgrading.
- Describes the removed feature generically without the endpoint path or DB upload
The settings page used to have an Export or Import button; that feature was removed in v1.0.0 for security.
- A different multipart upload endpoint, not /system/data-import and not the DB file
POST /api/workspace/upload with formData to add a multipart PDF document to a workspace for embedding.
已知誤報情境
- ▸Documentation or release notes describing the removed Export/Import feature without an actual unauthenticated upload request to /system/data-import
- ▸Legitimate authenticated admin using a backup/restore tool that references anythingllm.db by path but does not POST it to the /system/data-import endpoint
完整 YAML 定義
在 GitHub 編輯 →title: "AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)"
id: ATR-2026-01974
rule_version: 1
status: draft
description: >
CVE-2024-3279: improper access control on the mintplex-labs/anything-llm
POST /system/data-import endpoint (<1.0.0). An anonymous, unauthenticated
attacker uploads their own database file via multipart formData, deleting or
spoofing the existing anythingllm.db SQLite database to serve malicious data
or harvest user info. This rule keys on the data-import endpoint path combined
with the database-file import sink (anythingllm.db / data-import upload).
author: "ATR Community"
date: "2026/06/29"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
owasp_llm: ["LLM06:2025 - Excessive Agency"]
owasp_agentic: ["ASI06:2026 - Tool Misuse"]
mitre_atlas: ["AML.T0049 - Exploit Public-Facing Application"]
mitre_attack: ["T1190 - Exploit Public-Facing Application"]
cve: ["CVE-2024-3279"]
metadata_provenance: { mitre_atlas: human-reviewed, owasp_llm: human-reviewed, owasp_agentic: human-reviewed }
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness, cybersecurity) — runtime detection of this technique is a cybersecurity control for high-risk AI systems. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: secondary
nist_ai_rmf:
- subcategory: "MP.5.1"
context: "NIST AI RMF MAP 5.1 — likelihood and impact of the identified attack are characterised; this rule detects the adversarial input at runtime. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: primary
- subcategory: "MG.3.2"
context: "NIST AI RMF MANAGE 3.2 — runtime monitoring/maintenance control that surfaces this attack class. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control) — detection of this payload is an operational control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: primary
- clause: "8.3"
context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) — this rule implements runtime detection as a treatment control. Technique: AnythingLLM unauthenticated /system/data-import access control bypass (CVE-2024-3279)."
strength: secondary
tags: { category: privilege-escalation, subcategory: improper-access-control, scan_target: both, confidence: high, source: cve-disclosure, vendor_sources: anything-llm-cve-2024-3279 }
agent_source: { type: llm_io, framework: [any], provider: [any] }
detection:
condition: any
false_positives:
- "Documentation or release notes describing the removed Export/Import feature without an actual unauthenticated upload request to /system/data-import"
- "Legitimate authenticated admin using a backup/restore tool that references anythingllm.db by path but does not POST it to the /system/data-import endpoint"
conditions:
- field: content
operator: regex
value: '(?i)/system/data-import\b[\s\S]{0,300}(?:multipart/form-data|form-?data|multer|\.db\b|anythingllm\.db|method\s*[:=]\s*["'']?post)'
description: "POST upload to the unauthenticated /system/data-import endpoint with a multipart DB file"
- field: content
operator: regex
value: '(?i)anythingllm\.db[\s\S]{0,200}(?:/system/data-import|data-import|formData|multipart|import)'
description: "Import/upload of the anythingllm.db database file via the data-import sink"
- field: content
operator: regex
value: '(?i)CVE-2024-3279[\s\S]{0,200}(?:data-import|anythingllm|access control|unauthenticated)'
description: "explicit CVE framing"
response:
actions: [alert, block_input]
message_template: >
[ATR-2026-01974] CRITICAL: Unauthenticated AnythingLLM /system/data-import upload can overwrite/spoof anythingllm.db (CVE-2024-3279). Block and patch to >=1.0.0.
confidence: 80
wild_fp_rate: 0
test_cases:
true_positives:
- input: "curl -X POST http://target:3001/api/system/data-import -F '[email protected]' to overwrite anythingllm.db with no auth header"
expected: triggered
description: "Anonymous multipart POST to /system/data-import uploading a malicious database file"
- input: "fetch(`${API_BASE}/system/data-import`, { method: 'POST', body: formData }) // uploads attacker anythingllm.db, no auth"
expected: triggered
description: "Frontend-style unauthenticated data-import upload of the DB file"
- input: "Exploit for CVE-2024-3279: unauthenticated attacker imports their own anythingllm.db via /system/data-import to spoof the database"
expected: triggered
description: "Explicit CVE reference with the data-import access control bypass"
true_negatives:
- input: "Our admin docs explain how to back up anythingllm.db from the server/storage directory before upgrading."
expected: not_triggered
description: "Mentions anythingllm.db for backup but no data-import upload/POST sink"
- input: "The settings page used to have an Export or Import button; that feature was removed in v1.0.0 for security."
expected: not_triggered
description: "Describes the removed feature generically without the endpoint path or DB upload"
- input: "POST /api/workspace/upload with formData to add a multipart PDF document to a workspace for embedding."
expected: not_triggered
description: "A different multipart upload endpoint, not /system/data-import and not the DB file"
更多 權限提升 規則
ATR-2026-00040criticalPrivilege Escalation and Admin Function AccessATR-2026-00041mediumAgent Scope Creep DetectionATR-2026-00107highPrivilege Escalation via Delayed Task Execution BypassATR-2026-00110criticalRemote Code Execution via eval() and Dynamic Code InjectionATR-2026-00111criticalShell Metacharacter Injection in Tool Arguments