Authentication Bypass in AnythingLLM Affects User Data Privacy
CVE-2026-47713
2LOW
What is CVE-2026-47713?
The vulnerability in AnythingLLM allows a mobile device token created in single-user mode to persist after migrating to multi-user mode, resulting in unauthorized access to user data. When a stale token is accepted by the mobile authentication middleware, it causes the application to bypass user-specific filtering. As a result, malicious actors can exploit this flaw to enumerate workspaces and retrieve thread metadata and chat content belonging to other users, posing significant risks to user privacy. This issue was addressed in version 1.13.0.
Affected Version(s)
anything-llm < 1.13.0
