CVE Catalog

CVE-2026-55611

UnknownCVSS 0.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile - higher than 14% of all known CVEs

Summary

The AnythingLLM application has a vulnerability that allows managers or admins to delete parsed files of other users in any workspace, even if they are not members. The issue arises from a lack of ownership checks during file deletion, enabling attackers to manipulate file IDs.

Risk Assessment

The organization may face data loss as unauthorized users can delete files processed by others, leading to potential disruptions in teamwork and trust in the system.

Recommendation

It is recommended to update the application to version 1.14.1 to mitigate this vulnerability and implement additional access control mechanisms for file deletion operations.

Original NVD description (English source)

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow still deletes the target file by primary key only, with no ownership check, inside two finally{} blocks that run even when the ownership-checked read fails. As a result a manager or admin (multi-user mode) can delete any other user's parsed file in any workspace — including workspaces they are not a member of — by enumerating integer fileIds. The server even returns "File not found" while still deleting the file. This vulnerability is fixed in 1.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS