Skip to main content

Librechat EUVDEUVD-2026-19946

| CVE-2026-34371 MEDIUM
Path Traversal (CWE-22)
2026-04-07 GitHub_M
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.8.4
EUVD ID Assigned
Apr 07, 2026 - 21:31 euvd
EUVD-2026-19946
Analysis Generated
Apr 07, 2026 - 21:31 vuln.today
CVE Published
Apr 07, 2026 - 21:08 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4.

AnalysisAI

Arbitrary file write in LibreChat prior to 0.8.4 allows authenticated users to overwrite arbitrary server files via path traversal in code artifact filenames. The vulnerability affects LibreChat deployments using the default local file storage strategy, where the execute_code sandbox returns a user-controllable filename that is concatenated directly into the file write path without sanitization. An authenticated attacker can craft malicious artifact names containing traversal sequences (e.g., ../../../../../app/client/dist/poc.txt) to write files outside the intended directory, potentially compromising application integrity or enabling remote code execution through client-side file injection.

Technical ContextAI

LibreChat's execute_code sandbox feature allows users to generate code artifacts stored via a pluggable file strategy system. The vulnerability stems from improper trust of the name field returned by the sandbox process. When using the default local file strategy (fs.writeFileSync), the application concatenates user-influenced filenames directly into the destination path without Path.normalize() or similar canonicalization, failing to filter directory traversal sequences. This is a classic Path Traversal (CWE-22) vulnerability where relative path components (../) are not stripped before filesystem operations. The affected code path is triggered whenever execute_code produces an artifact with a malicious filename, and any authenticated LibreChat user who can invoke code execution features is a potential attacker.

RemediationAI

The primary remediation is to upgrade LibreChat to version 0.8.4 or later, which includes the path traversal fix. For users unable to immediately upgrade, consider disabling the execute_code feature if not essential to operations, or implementing filesystem permissions restrictions to limit the damage from potential file writes (e.g., restricting server process permissions to specific directories). Additionally, audit recent LibreChat logs for any suspicious artifact filenames containing ../ sequences to detect potential exploitation attempts. The fix is available in the official GitHub repository at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692, which documents the security advisory and patched release.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

EUVD-2026-19946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy