CVE-2025-63390 Public Disclosure Security Advisory: CVE-2025-63390 - Authentication Bypass in AnythingLLM Workspaces CVE ID: CVE-2025-63390 Date: 2025-12-18 Vendor: Mintplexx Labs Product: AnythingLLM Affected Versions: v1.8.5 Vulnerability Type: Insecure Permissions / Authentication Bypass Severity: High (Privilege Escalation, Information Disclosure) Summary An authentication bypass vulnerability exists in AnythingLLM v1.8.5 via the endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Impact Information Disclosure: Leakage of detailed workspace configuration, AI model settings, and system prompts. Escalation of Privileges: Potential to gain direct access to workspace resources. References Vendor Repository: https://github.com/Mintplex-Labs/anything-llm Issues: https://github.com/Mintplex-Labs/anything-llm/issues Credits Discovered by Zhihuang Liu ().