Skip to main content

Librechat CVE-2026-33265

| EUVDEUVD-2026-12813 MEDIUM
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-03-18 mitre
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 11:30 euvd
EUVD-2026-12813
Analysis Generated
Mar 18, 2026 - 11:30 vuln.today
CVE Published
Mar 18, 2026 - 11:17 nvd
MEDIUM 6.3

DescriptionCVE.org

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.

AnalysisAI

LibreChat 0.8.1-rc2 improperly issues JWT tokens to authenticated users for both the LibreChat API and RAG API without adequate scope separation or validation, enabling token reuse across API boundaries. An authenticated attacker with local access can exploit this misconfiguration to access or manipulate resources in the RAG API using credentials intended only for the main LibreChat API. This authentication bypass affects all deployments of LibreChat 0.8.1-rc2, with a proof-of-concept available via the SBA Research advisory (EUVD-2026-12813), though no active KEV exploitation has been reported at this time.

Technical ContextAI

LibreChat is an open-source chat application that integrates with multiple backend APIs, including a dedicated Retrieval-Augmented Generation (RAG) API for document processing and context injection. The vulnerability stems from CWE-669 (Incorrect Resource Transfer Between Spheres), where JWT tokens generated for authenticated sessions in LibreChat 0.8.1-rc2 (identified via CPE cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*) are issued with insufficient granularity—tokens lack proper audience (aud) claims, scope restrictions, or API-specific validation. This allows a token issued for the primary API to be reused against the RAG API without the authorization layer detecting scope violations. The root cause reflects insufficient implementation of OAuth 2.0 and JWT best practices around token compartmentalization.

RemediationAI

Upgrade LibreChat to a patched version released after 0.8.1-rc2 (consult https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreChat_RAG_API_Authentication_Bypass for exact recommended version). If immediate upgrade is not feasible, implement JWT validation middleware that enforces scope and audience claims at the RAG API gateway, rejecting any tokens lacking an explicit 'rag_api' audience claim. Additionally, configure the RAG API to use separate signing keys or key rotation policies distinct from the main LibreChat API to prevent token substitution. Until patching, restrict network access to the RAG API to internal-only connections and disable external RAG integration if not actively required.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

CVE-2026-33265 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy