LibreChat
CVE-2026-44654
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionGitHub Advisory
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through DELETE /api/files that the owner has reused across multiple agents. The deletion removes the file globally - not just from the shared agent - breaking the owner's other private agents that reference the same file_id. The private agent retains a stale file_id reference that no longer resolves. A shared-agent editor can destroy files that the owner uses across multiple agents. The owner's private agents - which the attacker has no access to - break silently with stale file_id references. This is a cross-agent integrity violation: editing access to one agent should not affect another. Version 0.8.4 contains a patch.
AnalysisAI
Cross-agent file deletion in LibreChat 0.8.3 and earlier allows an authenticated shared-agent editor to permanently destroy files that the owner reuses across multiple agents by calling DELETE /api/files - removing the file globally rather than just from the shared agent context. The owner's private agents, which the editor has no access to, silently retain stale file_id references that no longer resolve, causing integrity and availability degradation across unrelated agents. Exploit proof-of-concept code exists (CVSS E:P); this is not confirmed as actively exploited in CISA KEV, but the low-privilege network-accessible attack path warrants prompt patching to 0.8.4.
Technical ContextAI
LibreChat is an open-source ChatGPT-compatible frontend supporting multiple AI providers and a multi-agent architecture where files can be associated with agents. The flaw resides in the DELETE /api/files API endpoint, which performs a global file deletion without scoping the operation to the requesting user's authorization domain. CWE-863 (Incorrect Authorization) identifies the root cause: the application does not verify that the requesting principal (a shared-agent editor) holds the necessary ownership rights over the file resource being deleted. Because file_id references are shared across agents, a deletion executed in the context of one shared agent propagates destructively to all other agents referencing the same file - including private agents owned by the file's original owner. This is a cross-boundary authorization failure where editing rights on one agent resource incorrectly confer destructive rights over a separate, unrelated resource.
RemediationAI
Upgrade LibreChat to version 0.8.4, which contains the vendor-released patch for this vulnerability per the GitHub Security Advisory GHSA-f8jg-v856-mf6q (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f8jg-v856-mf6q). For deployments unable to patch immediately, the primary compensating control is restricting the use of the shared-agent editor role to fully trusted internal users - removing external or untrusted collaborators from shared-agent editor access eliminates the attack surface entirely, though this may disrupt intended collaboration workflows. A secondary workaround is to avoid reusing the same file_id across both shared and private agents until the patch is applied; using distinct file uploads per agent context prevents cross-agent file deletion from propagating. Operators should also audit existing file references in private agents for stale file_id entries that may indicate exploitation has already occurred.
A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests
LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through
LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file
An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat
LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th
LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v
{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today