CVE-2026-24477 (CVSS 9.1) exposes Qdrant vector database API keys in plaintext via an unauthenticated REST endpoint in AnythingLLM versions prior to 1.10.0, confirmed in CISA KEV with active exploitation. A single unauthenticated GET request to /api/setup-complete returns credentials enabling full read/write access to the RAG knowledge base, including document exfiltration and vector store manipulation. Immediate actions required: block the endpoint, rotate the Qdrant API key, and upgrade to AnythingLLM 1.10.0.