Strix
26.1K

CVE-2026-55611

NONECVSS 0/10EPSS 0.24%

Last modified

CVE-2026-55611 is a none-severity vulnerability. AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. EPSS estimates a 0.24% chance of exploitation in the next 30 days.

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow still deletes the target file by primary key only, with no ownership check, inside two finally{} blocks that run even when the ownership-checked read fails. As a result a manager or admin (multi-user mode) can delete any other user's parsed file in any workspace — including workspaces they are not a member of — by enumerating integer fileIds. The server even returns "File not found" while still deleting the file. This vulnerability is fixed in 1.14.1.

Metrics

CVSS 3.1
0/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N

EPSS Probability
0.24%

14.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

Timeline

Published
Last Modified
Status
Deferred

Frequently Asked Questions

What is CVE-2026-55611?
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow still deletes the target file by primary key only, with no ownership check, inside two finally{} blocks that run even when the ownership-checked read fails. As a result a manager or admin (multi-user mode) can delete any other user's parsed file in any workspace — including workspaces they are not a member of — by enumerating integer fileIds. The server even returns "File not found" while still deleting the file. This vulnerability is fixed in 1.14.1.
How severe is CVE-2026-55611?
Severity scoring for CVE-2026-55611 is pending analysis. The EPSS model estimates a 0.24% probability of exploitation in the next 30 days.
How do I fix CVE-2026-55611?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-55611?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST