CVE-2026-47713 | Mintplex-Labs anything-llm up to 1.12.x improper authorization (GHSA-h349-hp2v-8rhw)

This report documents CVE-2026-47713: an improper authorization vulnerability in Mintplex-Labs anything-llm (<= 1.12.x) where mobile tokens created in single-user mode can survive migration to multi-user mode and be accepted without an attached user, enabling enumeration and retrieval of other users' workspace metadata and chat content; the issue is fixed in version 1.13.0 (patch commit 9d714f95c124b61df00b840e36f623a2eb7e7eb4) and the recommended mitigation is to upgrade.