Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.
AnalysisAI
LibreChat 0.8.1-rc2 improperly issues JWT tokens to authenticated users for both the LibreChat API and RAG API without adequate scope separation or validation, enabling token reuse across API boundaries. An authenticated attacker with local access can exploit this misconfiguration to access or manipulate resources in the RAG API using credentials intended only for the main LibreChat API. This authentication bypass affects all deployments of LibreChat 0.8.1-rc2, with a proof-of-concept available via the SBA Research advisory (EUVD-2026-12813), though no active KEV exploitation has been reported at this time.
Technical ContextAI
LibreChat is an open-source chat application that integrates with multiple backend APIs, including a dedicated Retrieval-Augmented Generation (RAG) API for document processing and context injection. The vulnerability stems from CWE-669 (Incorrect Resource Transfer Between Spheres), where JWT tokens generated for authenticated sessions in LibreChat 0.8.1-rc2 (identified via CPE cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*) are issued with insufficient granularity—tokens lack proper audience (aud) claims, scope restrictions, or API-specific validation. This allows a token issued for the primary API to be reused against the RAG API without the authorization layer detecting scope violations. The root cause reflects insufficient implementation of OAuth 2.0 and JWT best practices around token compartmentalization.
RemediationAI
Upgrade LibreChat to a patched version released after 0.8.1-rc2 (consult https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreChat_RAG_API_Authentication_Bypass for exact recommended version). If immediate upgrade is not feasible, implement JWT validation middleware that enforces scope and audience claims at the RAG API gateway, rejecting any tokens lacking an explicit 'rag_api' audience claim. Additionally, configure the RAG API to use separate signing keys or key rotation policies distinct from the main LibreChat API to prevent token substitution. Until patching, restrict network access to the RAG API to internal-only connections and disable external RAG integration if not actively required.
A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests
LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through
LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file
An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat
LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th
LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v
{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12813