CVE-2026-24478 is a critical path traversal vulnerability (CWE-22) found in the DrupalWiki integration component of the Mintplex-Labs anything-llm application, versions prior to 1.10.0. AnythingLLM is designed to convert content into contextual references usable by large language models during chat interactions. The vulnerability stems from improper validation and limitation of file pathnames, allowing an attacker with administrative privileges or the ability to influence an admin to configure a malicious DrupalWiki URL to write arbitrary files anywhere on the server filesystem. This arbitrary file write capability can be exploited to overwrite critical configuration files or deploy malicious executable scripts, leading to remote code execution (RCE). The CVSS v3.1 base score is 7.2, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring high privileges but no user interaction. The flaw was publicly disclosed on January 26, 2026, and fixed in version 1.10.0 of anything-llm. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk if leveraged by attackers, especially in environments where anything-llm is deployed with DrupalWiki integration and administrative access is attainable or can be socially engineered.

For European organizations, exploitation of this vulnerability could result in severe consequences including unauthorized disclosure of sensitive data, full system compromise, and disruption of services. Since the vulnerability allows arbitrary file writes and potential remote code execution, attackers could implant backdoors, manipulate application behavior, or exfiltrate confidential information. Organizations relying on anything-llm for AI-driven content contextualization, especially those integrating DrupalWiki, face risks to both their operational integrity and data confidentiality. The requirement for administrative privileges limits the attack surface but does not eliminate risk, as insider threats or social engineering attacks targeting admins could enable exploitation. The impact is particularly critical for sectors with stringent data protection regulations such as finance, healthcare, and government institutions within Europe, where breaches could lead to regulatory penalties and reputational damage.

European organizations should immediately upgrade anything-llm to version 1.10.0 or later to remediate the vulnerability. Until patching is complete, restrict administrative access to trusted personnel only and implement strict access controls and monitoring on admin accounts to detect suspicious configuration changes. Employ network segmentation to isolate systems running anything-llm and DrupalWiki integrations from broader enterprise networks. Conduct thorough audits of existing configurations to identify and remove any malicious or suspicious DrupalWiki URLs. Implement file integrity monitoring to detect unauthorized file writes or modifications. Additionally, enhance security awareness training for administrators to mitigate social engineering risks. Where possible, deploy web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the DrupalWiki integration endpoints.