Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N
PR:H reflects mandatory manager/admin role; I:H and A:H reflect unconditional deletion of arbitrary users' parsed files; C:N as no read access is gained.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow still deletes the target file by primary key only, with no ownership check, inside two finally{} blocks that run even when the ownership-checked read fails. As a result a manager or admin (multi-user mode) can delete any other user's parsed file in any workspace - including workspaces they are not a member of - by enumerating integer fileIds. The server even returns "File not found" while still deleting the file. This vulnerability is fixed in 1.14.1.
AnalysisAI
{} blocks that fire unconditionally - even when the preceding ownership-checked read fails - scoping deletion only by raw primary key with no userId or workspaceId constraint. Versions 1.11.1 through 1.14.0 are affected; no public exploit or CISA KEV listing identified at time of analysis, though the fix commit confirms the root cause and makes exploitation trivially reproducible.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an account with manager or admin role in AnythingLLM's multi-user mode - the vulnerability does not exist in single-user deployments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N contains a clear inconsistency: base metrics C:N/I:N/A:N imply zero real-world impact, which directly contradicts a vulnerability enabling arbitrary cross-user file deletion. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with manager or admin credentials in a multi-user AnythingLLM deployment iterates integer values of fileId in POST requests to /api/workspace/any-slug/embed-parsed-file/{fileId}, targeting files owned by other users or in workspaces they are not a member of. Each request silently deletes the corresponding parsed file record even though the server returns 'File not found,' providing no obvious indication to the victim or monitoring systems that deletion occurred. … |
| Remediation | Upgrade AnythingLLM to version 1.14.1, which scopes the delete operation to both userId and workspaceId in addition to the fileId primary key, as confirmed by commits 34a42a33eaafe78b1e4020995ce8e9fd34d26c65 and 683fe3dfdc74b6d94c445a25bb0f2f218665a4c6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Anything Llm
View allSQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulne
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high sev
XSS in AnythingLLM 1.11.1 and earlier.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where th
Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import f
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39009