Auth bypass in Mintplex-labs Anything-llm

CVE-2026-55611

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the…

Vulnerability class: IDOR (Insecure Direct Object Reference)

Affected products

Mintplex-labs Anything-llm — versions < 1.14.1

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)