CVE-2026-42456

CVE-2026-42456 is a medium-severity vulnerability in Mintplexlabs Anythingllm with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-639.

Key facts

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.

Frequently asked questions

What is CVE-2026-42456?
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.
How severe is CVE-2026-42456?
CVE-2026-42456 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-42456 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (22nd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-42456?
CVE-2026-42456 affects Mintplexlabs Anythingllm. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-42456?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-42456 have an EU (EUVD) identifier?
Yes. CVE-2026-42456 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-28865.
When was CVE-2026-42456 published?
CVE-2026-42456 was published on 2026-05-08 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Mintplexlabs Anythingllm

All CVEs affecting Mintplexlabs Anythingllm →

Other CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)) vulnerabilities

Browse all CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)) vulnerabilities →