Authentication Bypass in AnythingLLM Affects User Data Privacy
CVE-2026-47713

2LOW

Key Information:

Vendor
CVE Published:
28 May 2026

What is CVE-2026-47713?

The vulnerability in AnythingLLM allows a mobile device token created in single-user mode to persist after migrating to multi-user mode, resulting in unauthorized access to user data. When a stale token is accepted by the mobile authentication middleware, it causes the application to bypass user-specific filtering. As a result, malicious actors can exploit this flaw to enumerate workspaces and retrieve thread metadata and chat content belonging to other users, posing significant risks to user privacy. This issue was addressed in version 1.13.0.

Affected Version(s)

anything-llm < 1.13.0

References

CVSS V3.1

Score:
2
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.