CVE-2026-42456
4.3 MEDIUMAnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting
Published: 2026-05-08 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-200, CWE-639
Affected products
| Vendor | Product |
|---|---|
| mintplexlabs | anythingllm |
Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42456
- [Patch]https://github.com/Mintplex-Labs/anything-llm/commit/4f3f77119d342e5489d1ba7533ad6d51bdcd565f
- [Other]https://github.com/Mintplex-Labs/anything-llm/releases/tag/v1.12.1
- [Vendor advisory]https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv
- [Vendor advisory]https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv
Related CVEs
Same vendor
- CVE-2026-48116 — AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting (7.5 HIGH)
- CVE-2026-47713 — AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting (2.0 LOW)
- CVE-2026-45403 — AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting (2.0 LOW)
Same CWE
- CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-47165 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.1 MEDIUM)
- CVE-2026-44692 — Sharp is a content management framework built for Laravel as a package (7.7 HIGH)
- CVE-2026-48855 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery
- CVE-2026-46558 — Plane is an open-source project management tool (8.3 HIGH)