CVE-2026-42456: AnythingLLM Information Disclosure Flaw

CVE-2026-42456 Overview

CVE-2026-42456 is an Insecure Direct Object Reference (IDOR) vulnerability in AnythingLLM, an application that converts content into context for Large Language Model (LLM) chat references. The flaw exists in the GET /api/workspace/:slug/tts/:chatId endpoint, which returns text-to-speech (TTS) audio for chat responses. The route validates workspace membership but fails to enforce ownership of the targeted chat row. An authenticated user within the same workspace can retrieve another user's private assistant response in audio form if they know or guess the chatId. The issue affects versions prior to 1.12.1 and is tracked under [CWE-200] Information Exposure.

Critical Impact

Authenticated workspace members can access other users' private LLM chat responses through the TTS endpoint by referencing arbitrary chat IDs.

Affected Products

• AnythingLLM by Mintplex Labs
• All versions prior to 1.12.1
• Self-hosted and cloud deployments exposing the workspace TTS API

Discovery Timeline

• 2026-05-08 - CVE-2026-42456 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42456

Vulnerability Analysis

The vulnerability resides in the workspace TTS handler in server/endpoints/workspaces.js. The route accepts a chatId path parameter and returns the synthesized audio of the corresponding assistant response. Authorization logic checks that the requesting user belongs to the workspace referenced by :slug, but does not verify that the chat row referenced by chatId was generated by that user.

Because chat IDs are sequential integers stored in WorkspaceChats, an authenticated attacker sharing a workspace with the victim can enumerate IDs and harvest TTS audio of private assistant responses. The exposed audio may contain sensitive prompts, retrieved document content, or proprietary information used in retrieval-augmented generation (RAG) workflows.

Root Cause

The WorkspaceChats.get() query filtered records by id and workspaceId only, omitting the user_id constraint. This is a classic missing-authorization-check pattern matching [CWE-200] and the IDOR class of broken access control.

Attack Vector

An attacker requires a valid authenticated session and membership in the target workspace. The attacker iterates chatId values against the TTS endpoint to retrieve audio belonging to other workspace members. No user interaction from the victim is required.

       try {
         const { chatId } = request.params;
         const workspace = response.locals.workspace;
+        const user = await userFromSession(request, response);
         const cacheKey = `${workspace.slug}:${chatId}`;
         const wsChat = await WorkspaceChats.get({
           id: Number(chatId),
           workspaceId: workspace.id,
+          user_id: user?.id,
         });
 
+        if (!wsChat) return response.sendStatus(404);
         const cachedResponse = responseCache.get(cacheKey);
         if (cachedResponse) {
           response.writeHead(200, {

Source: GitHub Commit 4f3f771 — The patch resolves the issue by deriving the requesting user from the session and adding user_id to the WorkspaceChats.get() query, returning HTTP 404 when no matching chat row is owned by that user.

Detection Methods for CVE-2026-42456

Indicators of Compromise

• Sequential or enumerative GET requests against /api/workspace/:slug/tts/:chatId from a single authenticated session.
• Repeated TTS endpoint requests producing 200 responses for chatId values outside the calling user's chat history.
• Spikes in TTS audio generation requests without corresponding chat creation activity by the same user.

Detection Strategies

• Correlate application logs to flag requests where the requesting user_id does not match the user_id recorded on the returned chatId row.
• Implement rate-based detection on the /tts/ route to identify enumeration patterns.
• Audit reverse proxy or API gateway logs for non-sequential or rapid chatId access by single sessions.

Monitoring Recommendations

• Enable verbose request logging on AnythingLLM workspace endpoints and forward to a centralized log store.
• Alert on 200 responses to the TTS endpoint when the chatId queried was not created within the last user-attributed session.
• Track per-user request counts to /api/workspace/*/tts/* and baseline normal usage volumes.

How to Mitigate CVE-2026-42456

Immediate Actions Required

• Upgrade AnythingLLM to version 1.12.1 or later, which enforces chat ownership in the TTS query.
• Audit workspace membership and remove users who no longer require access to sensitive workspaces.
• Review historical TTS endpoint logs for evidence of cross-user chatId access.

Patch Information

Mintplex Labs released the fix in AnythingLLM v1.12.1. The remediation is documented in GitHub Security Advisory GHSA-jwqg-jfg3-x5vv and applied via commit 4f3f771. The patch adds the authenticated user's ID to the WorkspaceChats.get() lookup so that only the chat owner can retrieve the TTS audio.

Workarounds

• If immediate patching is not possible, disable or proxy-block the /api/workspace/:slug/tts/:chatId route at the reverse proxy.
• Restrict workspace membership to trusted users until the upgrade is applied.
• Place AnythingLLM behind an authenticated gateway that enforces per-user request validation on chat resource paths.

# Example NGINX block to deny TTS endpoint until patch is applied
location ~ ^/api/workspace/[^/]+/tts/ {
    return 403;
}