CVE-2026-47713
Analyzed Analyzed - Analysis Complete
Authentication Bypass in AnythingLLM via Stale Mobile Tokens

Publication date: 2026-05-28

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-03
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-47713
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mintplexlabs anythingllm to 1.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in AnythingLLM versions prior to 1.13.0 where a mobile device token created in single-user mode can persist after migrating to multi-user mode, even if the device record has no associated user ID.

In multi-user mode, this stale token is still accepted by the mobile authentication middleware. Since no user is attached to the request, the system falls back to unscoped data access, allowing the token holder to access workspaces and content without proper per-user filtering.

This means an attacker with such a token can enumerate and retrieve workspace data, thread metadata, and chat content belonging to other users, violating data isolation between users.

Impact Analysis

This vulnerability can lead to unauthorized access to workspace content and chat data belonging to other users.

An attacker with a stale token can view sensitive information without proper authorization, potentially leading to data leakage and privacy breaches.

Because the token bypasses normal user-scoped access controls, it undermines the security model of the application and exposes user data to unintended parties.

Mitigation Strategies

The vulnerability is fixed in AnythingLLM version 1.13.0. Immediate mitigation involves upgrading the application to version 1.13.0 or later to ensure that stale mobile device tokens created in single-user mode do not persist and allow unauthorized access in multi-user mode.

Compliance Impact

This vulnerability allows unauthorized access to workspace content and thread metadata belonging to other users due to improper token validation and lack of per-user filtering in multi-user mode.

Such unauthorized data exposure could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Detection Guidance

Detection of this vulnerability involves identifying mobile device tokens that have a null userId in a multi-user mode environment, as these tokens can bypass user-scoping and access unauthorized workspace content.

One approach is to query the database table that stores mobile device tokens (e.g., the desktop_mobile_devices table) to find records where the userId field is null.

  • Example SQL command to detect such tokens: SELECT * FROM desktop_mobile_devices WHERE userId IS NULL;

Additionally, monitoring authentication logs for requests authenticated with tokens that do not have an associated user or that access data without proper user scoping may help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart