Skip to main content

LibreChat EUVDEUVD-2026-39460

| CVE-2026-54033 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-25 GitHub_M
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
HIGH
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable with low complexity, but needs an authenticated account (PR:L); SSRF pivots beyond the app (S:C) to disclose internal data (C:H), with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 29, 2026 - 15:52 NVD
HIGH MEDIUM
CVSS changed
Jun 29, 2026 - 15:52 NVD
7.7 (HIGH) 6.5 (MEDIUM)
Patch available
Jun 25, 2026 - 18:03 EUVD
Analysis Generated
Jun 25, 2026 - 17:17 vuln.today

DescriptionNVD

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests without any SSRF validation - no private IP check, no scheme restriction, no DNS pinning. An authenticated user can set baseURL to internal network addresses. This vulnerability is fixed in 0.8.4-rc1.

AnalysisAI

Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to LibreChat (low-priv account)
Delivery
Configure custom endpoint baseURL to internal address
Exploit
Trigger chat completion to send server-side request
Execution
Server fetches internal/metadata resource
Impact
Read response to exfiltrate internal data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated LibreChat account (PR:L) and that the instance permits users to configure custom OpenAI-compatible endpoints by supplying a baseURL - the exact feature named in the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately strong but not emergency-level. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing low-privilege account on a LibreChat instance, adds a custom OpenAI-compatible provider, and sets its baseURL to an internal target such as http://169.254.169.254/latest/meta-data/ or an internal admin service. When they trigger a chat completion against that provider, the LibreChat server makes the request from inside the trusted network and returns the response content to the attacker, disclosing cloud credentials or internal data. …
Remediation Vendor-released patch: upgrade LibreChat to 0.8.4-rc1 or later, which adds the missing SSRF controls - this is the primary and recommended fix, per the advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all LibreChat deployments and document current versions; audit account access and restrict to essential personnel only; review server logs for suspicious custom endpoint configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

EUVD-2026-39460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy