Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint /api/agents/chat/stream/:streamId does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and read another user's real-time chat content, including messages, AI responses, and tool invocations. Version 0.8.2 patches the issue.
AnalysisAI
Unauthenticated stream hijacking in LibreChat versions 0.8.2-rc2 through 0.8.2-rc3 allows authenticated users to read other users' real-time chat conversations via the SSE streaming endpoint /api/agents/chat/stream/:streamId without ownership verification. An attacker with valid credentials can enumerate or guess stream IDs to intercept sensitive messages, AI-generated responses, and tool invocation data from arbitrary users. The vulnerability was patched in version 0.8.2.
Technical ContextAI
LibreChat implements Server-Sent Events (SSE) streaming for real-time chat delivery via the /api/agents/chat/stream/:streamId endpoint. The vulnerability stems from a missing authorization check (CWE-284: Improper Access Control) that fails to validate whether the authenticated user owns or has permission to subscribe to the requested stream resource. The endpoint accepts a stream ID parameter in the URL path but does not cross-reference it against the authenticated user's session or user ID before establishing the SSE connection. This design flaw allows any authenticated user to construct a request with a stream ID belonging to another user and receive their chat data in real-time. The affected product is LibreChat (CPE: cpe:2.3:a:danny-avila:librechat:*:*:*:*:*:*:*:*), an open-source ChatGPT alternative built with Node.js and web technologies.
RemediationAI
Vendor-released patch: LibreChat version 0.8.2 and later. Upgrade from 0.8.2-rc2 or 0.8.2-rc3 to the stable 0.8.2 release or any later version. The patch implements owner verification on the /api/agents/chat/stream/:streamId endpoint to ensure only the authenticated user who initiated the stream can subscribe to its SSE output. Reference the GitHub security advisory GHSA-f6rf-vm44-wh5g at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f6rf-vm44-wh5g for detailed guidance and confirmation. If immediate upgrade is not feasible, isolate affected instances from untrusted network access or restrict user account creation to trusted parties to limit the attack surface.
A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests
LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through
LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file
An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat
LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th
LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v
{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16767