Skip to main content

Librechat CVE-2024-41703

CRITICAL
Improper Access Control (CWE-284)
2024-07-22 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 22, 2024 - 05:15 nvd
CRITICAL 9.8

DescriptionNVD

LibreChat through 0.7.4-rc1 has incorrect access control for message updates.

AnalysisAI

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-284. LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Affected products include: Librechat. Version information: through 0.7.4.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

CVE-2024-10363 MEDIUM POC
5.4 Mar 20

In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Rated medium severity (CVS

Share

CVE-2024-41703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy