AnythingLLM Exposes Vector Database API Key to Unauthenticated Users

Key Takeaways

• Unauthenticated endpoint exposed Qdrant vector database API key
• Affected AnythingLLM versions prior to 1.10.0
• Credential exposure could enable unauthorized data access
• No confirmed exploitation reported

Vector Store Credential Leak Expands AI Infrastructure Risk

CVE-2026-24477 disclosed that AnythingLLM, an open-source LLM orchestration and retrieval tool, exposed its Qdrant vector database API key through an unauthenticated setup endpoint. Because vector stores power retrieval-augmented generation and agent memory systems, this credential exposure created a direct pathway to unauthorized access of stored embeddings and potentially sensitive contextual data.

What We Know

AnythingLLM is widely used as a lightweight orchestration layer for large language models, supporting document ingestion, vector storage, and retrieval pipelines. On January 30, 2026, CVE-2026-24477 was published in the National Vulnerability Database documenting that versions prior to 1.10.0 exposed the Qdrant API key in plain text via the /api/setup-complete endpoint.

According to the NVD advisory, this endpoint did not require authentication. As a result, any unauthenticated requester could retrieve the API key used to access the vector database. Public advisories and vulnerability tracking platforms amplified the disclosure in early February 2026.

The vendor issued a fix in version 1.10.0 that removed the exposure and secured the endpoint. There is no publicly confirmed evidence of active exploitation at this time.

What Could Happen

If exploited, exposed vector database API keys could allow attackers to query, modify, or delete stored embeddings and indexed documents. In enterprise deployments, these embeddings may represent internal documentation, proprietary data, or contextual memory used by AI agents.

Because retrieval-augmented generation systems depend on vector stores for grounding responses, tampering with or extracting embeddings could compromise both confidentiality and integrity. Attackers could poison retrieval results, exfiltrate sensitive contextual data, or manipulate downstream AI responses.

Why It Matters

Vector databases are foundational infrastructure for many AI applications, including chatbots, enterprise copilots, and agentic systems. Exposing API credentials at this layer is not merely a configuration issue; it is a supply chain risk for any application relying on that vector store.

Even without confirmed exploitation, credential exposure in AI orchestration platforms demonstrates how basic security oversights can undermine AI trust boundaries. As organizations increasingly deploy AI retrieval pipelines in production, protecting vector storage credentials becomes critical to maintaining data integrity and confidentiality.

PointGuard AI Perspective

This incident reinforces that AI infrastructure components, including vector databases and orchestration layers, must be treated as high-value assets. API keys, embeddings, and retrieval pipelines represent sensitive control and data planes within modern AI systems.

PointGuard AI helps organizations identify exposed AI services, misconfigured endpoints, and unsecured credentials across their AI environments. By providing visibility into AI infrastructure dependencies and enforcing governance controls, PointGuard AI enables teams to detect weaknesses in retrieval and memory systems before they lead to compromise.

As AI architectures mature, securing vector stores and associated credentials must become a baseline requirement, not an afterthought.

Incident Scorecard Details

Total AISSI Score: 6.2/10

Criticality = 6, Credential exposure impacting AI retrieval infrastructure, AISSI weighting: 25%
Propagation = 5, Limited to affected deployments of AnythingLLM, AISSI weighting: 20%
Exploitability = 6, Unauthenticated endpoint enabled straightforward retrieval of API key, AISSI weighting: 15%
Supply Chain = 7, Affects AI orchestration and vector database layer, AISSI weighting: 15%
Business Impact = 4, Disclosure only with no confirmed exploitation, AISSI weighting: 25%

Sources

National Vulnerability Database — CVE-2026-24477
https://nvd.nist.gov/vuln/detail/CVE-2026-24477