Severity by source
AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0.
AnalysisAI
Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing a pre-migration token holder to bypass per-user data filtering and access other users' workspace content. Affected are all AnythingLLM installations (cpe:2.3:a:mintplex-labs:anything-llm) prior to version 1.13.0 that have undergone a single-user to multi-user migration while mobile device tokens existed. An attacker retaining a previously approved mobile token can enumerate workspaces and retrieve thread metadata and chat history belonging to other users. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.
Technical ContextAI
AnythingLLM (Mintplex-Labs) is an LLM-context application with a mobile interface that uses device-based token authentication. In single-user mode, approved mobile device records are stored in the desktop_mobile_devices table with a userId column that may be null. The mobile authentication middleware accepts these tokens without validating userId presence, and downstream handlers contain unscoped data-access fallback branches that activate when no user is attached to the request - exposing workspace and chat data without per-user ACL enforcement. CWE-285 (Improper Authorization) precisely describes the root cause: the authorization model fails to enforce user-scoped access when the identity binding (userId) is null, rather than treating a null userId as an invalid or unauthorized state. The commit diff confirms the fix calls MobileDevice.migrateDevicesToMultiUser() during multi-user enablement, which reassigns all null-userId device records to the admin user, eliminating the orphaned token condition.
RemediationAI
Upgrade AnythingLLM to version 1.13.0, which introduces a MobileDevice.migrateDevicesToMultiUser() call during the single-user to multi-user migration flow. This reassigns all mobile device records with a null userId to the migrating admin user, eliminating orphaned tokens. The patch commit is available at https://github.com/Mintplex-Labs/anything-llm/commit/9d714f95c124b61df00b840e36f623a2eb7e7eb4 and the vendor advisory at https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-h349-hp2v-8rhw. As a compensating control for operators who cannot immediately upgrade, manually auditing and revoking all mobile device tokens in the desktop_mobile_devices table where userId IS NULL before or immediately after completing a single-user to multi-user migration will eliminate the vulnerable token state. Note that revoking tokens will force re-approval of legitimate mobile devices.
More in Anything Llm
View allSQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulne
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high sev
XSS in AnythingLLM 1.11.1 and earlier.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where th
Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import f
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged au
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33069