Vulnerability Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow still deletes the target file by primary key only, with no ownership check, inside two finally{} blocks that run even when the ownership-checked read fails. As a result a manager or admin (multi-user mode) can delete any other user's parsed file in any workspace — including workspaces they are not a member of — by enumerating integer fileIds. The server even returns "File not found" while still deleting the file. This vulnerability is fixed in 1.14.1.
CVSS Score
NONE
Related Weaknesses (CWE)
References
- https://github.com/Mintplex-Labs/anything-llm/commit/34a42a33eaafe78b1e4020995ce
- https://github.com/Mintplex-Labs/anything-llm/commit/683fe3dfdc74b6d94c445a25bb0
- https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-r872-gr59
- https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-r872-gr59
FAQ
What is CVE-2026-55611?
CVE-2026-55611 is a vulnerability with a CVSS score of 0.0 (NONE). AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files rea...
How severe is CVE-2026-55611?
CVE-2026-55611 has been rated NONE with a CVSS base score of 0.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-55611?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.