AnythingLLM Insecure Direct Object Reference Vulnerability in TTS Endpoint Allows Cross-User Audio Access

A vulnerability in AnythingLLM prior to version 1.12.1 allows users to access another user's text-to-speech (TTS) audio response within the same workspace. The issue arises because the TTS endpoint validates workspace membership but fails to enforce ownership of the chat response. As a result, an authenticated user can retrieve private assistant responses in audio form if the chat ID is known or guessed. This vulnerability constitutes an insecure direct object reference (IDOR) affecting private chat content accessed through the TTS endpoint.

Impact

The vulnerability allows an authenticated user to access and retrieve another user's private chat responses in audio form, leaking confidential conversation content across users within the same workspace.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GET request to the TTS endpoint, including the workspace slug and a chat ID that belongs to another user. The request must be authorized with a JWT token for the user attempting to access the audio. The TTS endpoint will respond with the audio of the targeted chat response, demonstrating the cross-user access flaw.

Remediation

Users can update to AnythingLLM version 1.12.1 or later, where this vulnerability has been patched.