CVE-2024-0798 Information

Description

A user with a default role given to them by the admin can sent DELETE HTTP requests to remove-folder and remove-document to delete folders and source files from the instance even when their role should explicitly not allow this action on the system.

Reference

https://huntr.com/bounties/607f03a0-ab4d-4905-b253-3d28bbbd363c https://github.com/mintplex-labs/anything-llm/commit/d5cde8b7c27a47ab45b05b441db16751537f1733