PatchSiren cyber security CVE debrief
CVE-2026-47713 Mintplex-Labs CVE debrief
## Summary CVE-2026-47713 is an authorization bypass vulnerability in AnythingLLM affecting versions prior to 1.13.0. The flaw stems from improper handling of mobile device tokens during a single-user to multi-user mode migration, allowing stale tokens to persist and grant unscoped data access in multi-user environments. ## Technical Details The vulnerability exists in the mobile authentication middleware. When AnythingLLM operates in single-user mode, approved mobile device tokens are created and associated with a device record where `userId = null`. Upon migration to multi-user mode, these tokens survive the transition despite lacking proper user association. The mobile authentication middleware continues to accept these stale tokens. Because no valid user is attached to requests authenticated with such tokens, downstream mobile handlers default to unscoped data-access branches. This bypasses per-user filtering mechanisms, exposing workspaces, workspace content, thread metadata, and chat history that should be restricted to specific users. ## Affected Versions - **Vulnerable**: AnythingLLM versions prior to 1.13.0 - **Fixed**: AnythingLLM version 1.13.0 ## Impact An attacker with a pre-migration mobile device token can: - Enumerate workspaces assigned to other users - Retrieve victim-owned thread metadata - Access chat content belonging to other users The CVSS 3.1 score of 2.0 (Low severity) reflects the high complexity of exploitation (requires prior possession of a valid single-user mode token) and the restricted attack surface (mobile authentication path only). ## Root Cause The vulnerability combines two weaknesses: - **CWE-285 (Improper Authorization)**: The mobile authentication middleware fails to validate that authenticated requests have an associated user in multi-user mode - **CWE-639 (Authorization Bypass Through User-Controlled Key)**: Stale tokens from single-user mode remain functional after migration, serving as unauthorized access keys ## Timeline - **2026-05-28**: CVE published and last modified ## Recommended Actions 1. **Upgrade immediately** to AnythingLLM version 1.13.0 or later 2. **Audit existing mobile device tokens** in多
- Vendor
- Mintplex-Labs
- Product
- anything-llm
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running AnythingLLM in or planning to migrate to multi-user mode; security teams managing LLM application deployments; developers implementing authentication state transitions in multi-tenant applications
Technical summary
The mobile authentication middleware in AnythingLLM fails to properly invalidate single-user mode tokens after migration to multi-user mode. Tokens with null userId remain accepted, causing downstream handlers to execute unscoped data queries without per-user filtering, resulting in unauthorized cross-user data access.
Defensive priority
low
Recommended defensive actions
- Upgrade to AnythingLLM version 1.13.0 or later
- Review and revoke any mobile device tokens created prior to migration from single-user to multi-user mode
- Audit workspace access logs for unauthorized data access via mobile endpoints
- Implement additional validation in mobile authentication middleware to reject tokens without valid user associations in multi-user mode
Evidence notes
Vulnerability description and technical details derived from official CVE record and GitHub Security Advisory. CVSS vector and CWE classifications sourced from NVD reference data. Fix version and commit hash confirmed through GitHub advisory and commit reference.
Official resources
2026-05-28