Insecure Direct Object Reference in AnythingLLM Affects Private Chat Audio Responses
CVE-2026-42456

4.3MEDIUM

Key Information:

Vendor

Mintplex-labs

Status
Anything-llm
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42456?

Prior to version 1.12.1, AnythingLLM's functionality exposed a security flaw where authenticated users could access another user's audio response from private chats. This was due to inadequate enforcement of ownership checks on the targeted chat data, permitting unauthorized access through the TTS endpoint if the chat identifier was known. This significant oversight has been rectified in version 1.12.1.

Affected Version(s)

anything-llm < 1.12.1

References

https://github.com/Mintplex-Labs/anything-llm/security/ad...
x_refsource_CONFIRM
https://github.com/Mintplex-Labs/anything-llm/commit/4f3f...
x_refsource_MISC
https://github.com/Mintplex-Labs/anything-llm/releases/ta...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.