CVE-2026-42456

Source
https://cve.org/CVERecord?id=CVE-2026-42456
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42456.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42456
Aliases
  • GHSA-jwqg-jfg3-x5vv
Published
2026-05-08T23:01:30.213Z
Modified
2026-07-08T08:11:58.740759Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (IDOR)
Details

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42456.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200",
        "CWE-639"
    ]
}
References

Affected packages

Git / github.com/mintplex-labs/anything-llm

Affected ranges

Type
GIT
Repo
https://github.com/mintplex-labs/anything-llm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.12.1"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.1.1
v1.10.0
v1.11.0
v1.11.1
v1.11.2
v1.12.0
v1.12.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.4.0
v1.7.4
v1.7.5
v1.7.6
v1.7.8
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.9.0
v1.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42456.json"