Skip to main content

Librechat CVE-2025-41258

| EUVDEUVD-2025-208825 HIGH
Improper Access Control (CWE-284)
2026-03-18 sba-research
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 11:30 euvd
EUVD-2025-208825
Analysis Generated
Mar 18, 2026 - 11:30 vuln.today
CVE Published
Mar 18, 2026 - 11:08 nvd
HIGH 8.0

DescriptionCVE.org

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.

AnalysisAI

A critical authentication bypass vulnerability exists in LibreChat version 0.8.1-rc2 where the same JWT secret is reused for both user session management and the RAG (Retrieval-Augmented Generation) API authentication. This design flaw allows authenticated users to compromise service-level authentication of the RAG API by leveraging their session tokens to access or manipulate the RAG service beyond intended privileges. No active exploitation (KEV) has been reported, but a detailed security advisory with technical analysis is publicly available from SBA Research.

Technical ContextAI

LibreChat is a web-based chat application (cpe:2.3:a:danny-avila:librechat) that implements RAG (Retrieval-Augmented Generation) functionality for enhanced AI responses. The vulnerability stems from CWE-284 (Improper Access Control) where the application uses a shared JWT signing secret across different security boundaries. When the same cryptographic key material is used to sign tokens for user sessions and service-level API authentication, users can potentially forge or reuse their session JWTs to authenticate to backend services that should have separate authentication mechanisms. This violates the principle of defense in depth and breaks service isolation.

RemediationAI

Users running LibreChat version 0.8.1-rc2 should immediately upgrade to a patched version or implement separate JWT secrets for user session management and RAG API authentication by modifying the application configuration to use distinct cryptographic keys for each authentication domain. Review the SBA Research security advisory at https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreChat_RAG_API_Authentication_Bypass for detailed technical guidance and consult the official LibreChat repository at https://github.com/danny-avila/LibreChat for patch availability and upgrade instructions. As an interim mitigation, restrict network access to the RAG API endpoints to only trusted service accounts and implement additional authorization checks to validate that JWT tokens used for RAG API access originate from legitimate service contexts rather than user sessions.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

CVE-2025-41258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy