CVE-2026-24477 (CVSS 9.1) exposes the Qdrant vector database API key in plaintext via an unauthenticated GET request to AnythingLLM’s /api/setup-complete endpoint, affecting all versions prior to 1.10.0. Confirmed on CISA KEV with active exploitation; a successful attacker gains full read/write access to the RAG knowledge base, enabling document exfiltration, embedding poisoning, and data destruction. Upgrade to AnythingLLM 1.10.0 immediately and rotate the Qdrant API key; restrict the endpoint at the WAF or reverse proxy layer pending patch deployment.