Skip to main content

Librechat

43 CVEs product

Monthly

CVE-2026-54024 MEDIUM PATCH This Month

Unrestricted file upload to the POST /api/convos/import endpoint in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server disk space and memory, causing a denial of service. The root cause is an incomplete remediation of CVE-2024-11171: while file size limits were added to the shared multer factory, the import endpoint's independent multer instance was never updated, and the application-level fallback guard (CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES) is commented out in .env.example by default. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation complexity for any authenticated user makes this a meaningful operational risk for public-facing or open-registration deployments.

Denial Of Service File Upload Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54025 MEDIUM PATCH This Month

Cross-site scripting in LibreChat's markdown artifact preview pipeline allows an authenticated attacker to inject arbitrary JavaScript into a victim's browser session via crafted image alt text. The marked library v15.0.12 fails to HTML-escape double-quote characters in image alt text when LibreChat's custom image renderer falls through to the built-in renderer, enabling attribute breakout via payloads like `" onload="payload`. The resulting unsanitized HTML is written directly to `innerHTML` inside the Sandpack preview iframe, executing attacker-controlled code in the victim's browser. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; fixed in version 0.8.4-rc1.

XSS Librechat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-54027 MEDIUM PATCH This Month

LibreChat's POST /api/files/images endpoint lacks the authorization check that was correctly applied to the POST /api/files route in a prior patch, allowing any authenticated user to upload files into arbitrary agents' tool_resources (including context and execute_code environments) without ownership or EDIT permission verification. All LibreChat deployments prior to 0.8.4-rc1 are affected across any multi-user configuration. No active exploitation has been confirmed (not in CISA KEV), but the bypass is trivially exercisable by any valid session holder who knows a target agent ID.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54029 MEDIUM PATCH This Month

Broken object-level authorization in LibreChat's message deletion endpoint allows any authenticated user to permanently delete messages belonging to other users. Affected are all LibreChat deployments prior to 0.8.4-rc1. By supplying their own valid conversationId for middleware validation while targeting a victim's messageId in the underlying MongoDB query, an attacker bypasses the per-user authorization check and irreversibly removes arbitrary messages. No public exploit or CISA KEV listing exists at time of analysis, but the flaw is straightforward to exploit once a valid messageId is obtained.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54033 MEDIUM PATCH This Month

Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trivial low-complexity nature makes it readily exploitable once an account exists.

SSRF Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54037 MEDIUM PATCH This Month

Rate limiter bypass in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server resources via the POST /api/convos/duplicate endpoint, which performs identical expensive database operations as /api/convos/fork but was inadvertently omitted from the CVE-2025-7105 remediation scope. Operators who applied the prior fix may believe resource exhaustion was fully mitigated - they remain exposed through this overlooked parallel endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low exploitation complexity and bypass nature make this operationally significant for multi-tenant or publicly accessible LibreChat deployments.

Denial Of Service Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54030 CRITICAL PATCH Act Now

Access-token theft in LibreChat before 0.8.5 lets a malicious MCP (Model Context Protocol) server hijack OAuth tokens minted for a legitimate server, because the client never checks that the RFC 9728 resource parameter matches the configured MCP server URL. Any LibreChat operator who connects their instance to an attacker-controlled MCP server can have the OAuth access tokens intended for a trusted server silently exfiltrated. SSVC rates technical impact as total and a proof-of-concept is referenced, but there is no public exploit weaponization and EPSS exploitation probability is very low (0.11%); it is fixed in 0.8.5.

Information Disclosure Librechat
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-54040 HIGH PATCH This Week

Authentication-bypass weakness in LibreChat before 0.8.4-rc1 lets an attacker who already holds a valid session silently regenerate all of a victim's two-factor backup codes via POST /api/auth/2fa/backup/regenerate, which never asks for a current TOTP token or an existing backup code. With fresh codes in hand, the attacker can bypass 2FA at login or turn 2FA off entirely, neutralizing the account's second factor. EPSS is low (0.15%, 5th percentile) and no active exploitation is recorded, but proof-of-concept exploitation is acknowledged in the SSVC framework.

Authentication Bypass Librechat
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-54036 HIGH PATCH This Week

Two-factor authentication takeover in LibreChat before 0.8.4-rc1 lets any authenticated user — or an attacker wielding a stolen session token — call the GET /api/auth/2fa/enable endpoint to silently overwrite an account's existing TOTP secret, regenerate backup codes, and flip twoFactorEnabled to false, all without TOTP or backup-code verification. The flaw destroys the victim's working second factor and can lock the legitimate owner out of their own 2FA. Publicly available exploit code exists (SSVC: PoC), but EPSS is low (0.18%, 8th percentile) and it is not listed in CISA KEV.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-44654 MEDIUM This Month

Cross-agent file deletion in LibreChat 0.8.3 and earlier allows an authenticated shared-agent editor to permanently destroy files that the owner reuses across multiple agents by calling DELETE /api/files - removing the file globally rather than just from the shared agent context. The owner's private agents, which the editor has no access to, silently retain stale file_id references that no longer resolve, causing integrity and availability degradation across unrelated agents. Exploit proof-of-concept code exists (CVSS E:P); this is not confirmed as actively exploited in CISA KEV, but the low-privilege network-accessible attack path warrants prompt patching to 0.8.4.

Authentication Bypass Librechat
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-44653 MEDIUM This Month

LibreChat's MCP server configuration API leaks decrypted admin-managed credentials - including plaintext API keys and OAuth client secrets - to any authenticated user holding only VIEW-level access to a shared MCP server. All deployments running versions up to and including 0.8.3 are affected, with the flaw accessible via standard GET requests to `/api/mcp/servers` and `/api/mcp/servers/:serverName`. No public exploit or active exploitation has been identified at time of analysis, but the low-complexity, low-privilege network vector makes credential exfiltration straightforward in any multi-user LibreChat environment.

Information Disclosure Librechat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32625 CRITICAL Act Now

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to transmit CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI to an attacker-controlled host. No public exploit identified at time of analysis, and the issue is fixed in 0.8.4-rc1.

Information Disclosure Librechat
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-34371 MEDIUM PATCH This Month

Arbitrary file write in LibreChat prior to 0.8.4 allows authenticated users to overwrite arbitrary server files via path traversal in code artifact filenames. The vulnerability affects LibreChat deployments using the default local file storage strategy, where the execute_code sandbox returns a user-controllable filename that is concatenated directly into the file write path without sanitization. An authenticated attacker can craft malicious artifact names containing traversal sequences (e.g., ../../../../../app/client/dist/poc.txt) to write files outside the intended directory, potentially compromising application integrity or enabling remote code execution through client-side file injection.

Path Traversal Librechat
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-31951 MEDIUM This Month

{{LIBRECHAT_OPENID_ACCESS_TOKEN}} to harvest victim credentials during tool execution; the vulnerability is fixed in version 0.8.3-rc2. No public exploit code or CISA KEV listing is documented, but the attack requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world impact.

Information Disclosure Librechat
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-31950 MEDIUM PATCH This Month

Unauthenticated stream hijacking in LibreChat versions 0.8.2-rc2 through 0.8.2-rc3 allows authenticated users to read other users' real-time chat conversations via the SSE streaming endpoint `/api/agents/chat/stream/:streamId` without ownership verification. An attacker with valid credentials can enumerate or guess stream IDs to intercept sensitive messages, AI-generated responses, and tool invocation data from arbitrary users. The vulnerability was patched in version 0.8.2.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-31945 HIGH PATCH This Week

Server-side request forgery in LibreChat 0.8.2-rc2 through 0.8.2 allows authenticated users to access internal network resources via incomplete DNS validation bypass. Despite a prior SSRF patch, the current hostname validation fails to check if DNS resolution points to private IP addresses, enabling attackers to reach internal RAG APIs and cloud metadata endpoints. CVSS 7.7 with network-based attack vector and low complexity. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV). Patch released in version 0.8.3-rc1.

SSRF Librechat
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-31943 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in LibreChat versions prior to 0.8.3 allows authenticated users to bypass IP validation and force the application server to make HTTP requests to internal network resources. The vulnerability stems from improper validation of IPv4-mapped IPv6 addresses in hex-normalized form, enabling access to cloud metadata services (AWS 169.254.169.254), loopback addresses, and RFC1918 private networks. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the specific bypass technique (hex-normalized IPv4-mapped IPv6) is well-documented in SSRF research.

SSRF Librechat
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-33265 MEDIUM This Month

LibreChat 0.8.1-rc2 improperly issues JWT tokens to authenticated users for both the LibreChat API and RAG API without adequate scope separation or validation, enabling token reuse across API boundaries. An authenticated attacker with local access can exploit this misconfiguration to access or manipulate resources in the RAG API using credentials intended only for the main LibreChat API. This authentication bypass affects all deployments of LibreChat 0.8.1-rc2, with a proof-of-concept available via the SBA Research advisory (EUVD-2026-12813), though no active KEV exploitation has been reported at this time.

Information Disclosure Librechat
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-41258 HIGH This Week

A critical authentication bypass vulnerability exists in LibreChat version 0.8.1-rc2 where the same JWT secret is reused for both user session management and the RAG (Retrieval-Augmented Generation) API authentication. This design flaw allows authenticated users to compromise service-level authentication of the RAG API by leveraging their session tokens to access or manipulate the RAG service beyond intended privileges. No active exploitation (KEV) has been reported, but a detailed security advisory with technical analysis is publicly available from SBA Research.

Authentication Bypass Librechat
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-31949 MEDIUM PATCH This Month

LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.

Node.js Denial Of Service AI / ML Librechat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31944 HIGH This Week

LibreChat versions 0.8.2 through 0.8.2-rc3 contain an authentication bypass vulnerability in the Model Context Protocol (MCP) OAuth callback endpoint that allows attackers to steal OAuth tokens by tricking victims into completing an OAuth flow, resulting in account takeover of the victim's MCP-linked services like Atlassian and Outlook. No active exploitation is known (not in KEV), no POC is publicly available, and EPSS data is not yet available for this newly disclosed vulnerability.

Atlassian Authentication Bypass Microsoft AI / ML Librechat
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-22252 CRITICAL POC PATCH Act Now

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through the MCP stdio transport. A single API request is sufficient for root code execution. PoC available, patch available.

Authentication Bypass AI / ML Librechat
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-69222 CRITICAL POC PATCH Act Now

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests to internal networks. By configuring agents with malicious OpenAPI specifications, attackers can scan internal infrastructure and access internal services. PoC available, patch available.

Docker SSRF AI / ML Librechat
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-69221 MEDIUM POC PATCH This Month

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. [CVSS 4.3 MEDIUM]

Authentication Bypass AI / ML Librechat
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69220 HIGH POC PATCH This Week

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. [CVSS 7.1 HIGH]

Authentication Bypass AI / ML Librechat
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-66201 HIGH POC This Week

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Librechat
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-7104 HIGH POC PATCH This Month

A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Librechat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-7106 MEDIUM PATCH This Month

danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-6088 LOW POC PATCH Monitor

In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-54868 HIGH POC PATCH This Month

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-12580 MEDIUM POC PATCH This Month

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Librechat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-11173 MEDIUM POC PATCH This Month

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
CVSS 3.0
6.5
EPSS
0.2%
CVE-2024-11172 HIGH POC PATCH This Month

A vulnerability in danny-avila/librechat version git a1647d7 allows an unauthenticated attacker to cause a denial of service by sending a crafted payload to the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-11171 HIGH POC PATCH This Week

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
CVSS 3.0
7.5
EPSS
0.2%
CVE-2024-11170 HIGH POC PATCH This Week

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Path Traversal Librechat
NVD GitHub
CVSS 3.0
8.8
EPSS
2.9%
CVE-2024-11169 HIGH POC PATCH This Month

An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
CVSS 3.0
7.5
EPSS
0.8%
CVE-2024-11167 MEDIUM POC PATCH This Month

An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-10366 MEDIUM POC PATCH This Month

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-10363 MEDIUM POC PATCH This Month

In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.0
5.4
EPSS
0.1%
CVE-2024-10361 CRITICAL POC PATCH Act Now

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Librechat
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2024-10359 MEDIUM POC PATCH This Month

In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Librechat
NVD GitHub
CVSS 3.0
4.6
EPSS
0.1%
CVE-2024-41704 CRITICAL PATCH Act Now

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Librechat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-41703 CRITICAL PATCH Act Now

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Librechat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unrestricted file upload to the POST /api/convos/import endpoint in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server disk space and memory, causing a denial of service. The root cause is an incomplete remediation of CVE-2024-11171: while file size limits were added to the shared multer factory, the import endpoint's independent multer instance was never updated, and the application-level fallback guard (CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES) is commented out in .env.example by default. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation complexity for any authenticated user makes this a meaningful operational risk for public-facing or open-registration deployments.

Denial Of Service File Upload Librechat
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in LibreChat's markdown artifact preview pipeline allows an authenticated attacker to inject arbitrary JavaScript into a victim's browser session via crafted image alt text. The marked library v15.0.12 fails to HTML-escape double-quote characters in image alt text when LibreChat's custom image renderer falls through to the built-in renderer, enabling attribute breakout via payloads like `" onload="payload`. The resulting unsanitized HTML is written directly to `innerHTML` inside the Sandpack preview iframe, executing attacker-controlled code in the victim's browser. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; fixed in version 0.8.4-rc1.

XSS Librechat
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

LibreChat's POST /api/files/images endpoint lacks the authorization check that was correctly applied to the POST /api/files route in a prior patch, allowing any authenticated user to upload files into arbitrary agents' tool_resources (including context and execute_code environments) without ownership or EDIT permission verification. All LibreChat deployments prior to 0.8.4-rc1 are affected across any multi-user configuration. No active exploitation has been confirmed (not in CISA KEV), but the bypass is trivially exercisable by any valid session holder who knows a target agent ID.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken object-level authorization in LibreChat's message deletion endpoint allows any authenticated user to permanently delete messages belonging to other users. Affected are all LibreChat deployments prior to 0.8.4-rc1. By supplying their own valid conversationId for middleware validation while targeting a victim's messageId in the underlying MongoDB query, an attacker bypasses the per-user authorization check and irreversibly removes arbitrary messages. No public exploit or CISA KEV listing exists at time of analysis, but the flaw is straightforward to exploit once a valid messageId is obtained.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trivial low-complexity nature makes it readily exploitable once an account exists.

SSRF Librechat
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Rate limiter bypass in LibreChat prior to 0.8.4-rc1 allows any authenticated user to exhaust server resources via the POST /api/convos/duplicate endpoint, which performs identical expensive database operations as /api/convos/fork but was inadvertently omitted from the CVE-2025-7105 remediation scope. Operators who applied the prior fix may believe resource exhaustion was fully mitigated - they remain exposed through this overlooked parallel endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low exploitation complexity and bypass nature make this operationally significant for multi-tenant or publicly accessible LibreChat deployments.

Denial Of Service Librechat
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Access-token theft in LibreChat before 0.8.5 lets a malicious MCP (Model Context Protocol) server hijack OAuth tokens minted for a legitimate server, because the client never checks that the RFC 9728 resource parameter matches the configured MCP server URL. Any LibreChat operator who connects their instance to an attacker-controlled MCP server can have the OAuth access tokens intended for a trusted server silently exfiltrated. SSVC rates technical impact as total and a proof-of-concept is referenced, but there is no public exploit weaponization and EPSS exploitation probability is very low (0.11%); it is fixed in 0.8.5.

Information Disclosure Librechat
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication-bypass weakness in LibreChat before 0.8.4-rc1 lets an attacker who already holds a valid session silently regenerate all of a victim's two-factor backup codes via POST /api/auth/2fa/backup/regenerate, which never asks for a current TOTP token or an existing backup code. With fresh codes in hand, the attacker can bypass 2FA at login or turn 2FA off entirely, neutralizing the account's second factor. EPSS is low (0.15%, 5th percentile) and no active exploitation is recorded, but proof-of-concept exploitation is acknowledged in the SSVC framework.

Authentication Bypass Librechat
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Two-factor authentication takeover in LibreChat before 0.8.4-rc1 lets any authenticated user — or an attacker wielding a stolen session token — call the GET /api/auth/2fa/enable endpoint to silently overwrite an account's existing TOTP secret, regenerate backup codes, and flip twoFactorEnabled to false, all without TOTP or backup-code verification. The flaw destroys the victim's working second factor and can lock the legitimate owner out of their own 2FA. Publicly available exploit code exists (SSVC: PoC), but EPSS is low (0.18%, 8th percentile) and it is not listed in CISA KEV.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM This Month

Cross-agent file deletion in LibreChat 0.8.3 and earlier allows an authenticated shared-agent editor to permanently destroy files that the owner reuses across multiple agents by calling DELETE /api/files - removing the file globally rather than just from the shared agent context. The owner's private agents, which the editor has no access to, silently retain stale file_id references that no longer resolve, causing integrity and availability degradation across unrelated agents. Exploit proof-of-concept code exists (CVSS E:P); this is not confirmed as actively exploited in CISA KEV, but the low-privilege network-accessible attack path warrants prompt patching to 0.8.4.

Authentication Bypass Librechat
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

LibreChat's MCP server configuration API leaks decrypted admin-managed credentials - including plaintext API keys and OAuth client secrets - to any authenticated user holding only VIEW-level access to a shared MCP server. All deployments running versions up to and including 0.8.3 are affected, with the flaw accessible via standard GET requests to `/api/mcp/servers` and `/api/mcp/servers/:serverName`. No public exploit or active exploitation has been identified at time of analysis, but the low-complexity, low-privilege network vector makes credential exfiltration straightforward in any multi-user LibreChat environment.

Information Disclosure Librechat
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to transmit CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI to an attacker-controlled host. No public exploit identified at time of analysis, and the issue is fixed in 0.8.4-rc1.

Information Disclosure Librechat
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Arbitrary file write in LibreChat prior to 0.8.4 allows authenticated users to overwrite arbitrary server files via path traversal in code artifact filenames. The vulnerability affects LibreChat deployments using the default local file storage strategy, where the execute_code sandbox returns a user-controllable filename that is concatenated directly into the file write path without sanitization. An authenticated attacker can craft malicious artifact names containing traversal sequences (e.g., ../../../../../app/client/dist/poc.txt) to write files outside the intended directory, potentially compromising application integrity or enabling remote code execution through client-side file injection.

Path Traversal Librechat
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

{{LIBRECHAT_OPENID_ACCESS_TOKEN}} to harvest victim credentials during tool execution; the vulnerability is fixed in version 0.8.3-rc2. No public exploit code or CISA KEV listing is documented, but the attack requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world impact.

Information Disclosure Librechat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated stream hijacking in LibreChat versions 0.8.2-rc2 through 0.8.2-rc3 allows authenticated users to read other users' real-time chat conversations via the SSE streaming endpoint `/api/agents/chat/stream/:streamId` without ownership verification. An attacker with valid credentials can enumerate or guess stream IDs to intercept sensitive messages, AI-generated responses, and tool invocation data from arbitrary users. The vulnerability was patched in version 0.8.2.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-side request forgery in LibreChat 0.8.2-rc2 through 0.8.2 allows authenticated users to access internal network resources via incomplete DNS validation bypass. Despite a prior SSRF patch, the current hostname validation fails to check if DNS resolution points to private IP addresses, enabling attackers to reach internal RAG APIs and cloud metadata endpoints. CVSS 7.7 with network-based attack vector and low complexity. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV). Patch released in version 0.8.3-rc1.

SSRF Librechat
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in LibreChat versions prior to 0.8.3 allows authenticated users to bypass IP validation and force the application server to make HTTP requests to internal network resources. The vulnerability stems from improper validation of IPv4-mapped IPv6 addresses in hex-normalized form, enabling access to cloud metadata services (AWS 169.254.169.254), loopback addresses, and RFC1918 private networks. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the specific bypass technique (hex-normalized IPv4-mapped IPv6) is well-documented in SSRF research.

SSRF Librechat
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

LibreChat 0.8.1-rc2 improperly issues JWT tokens to authenticated users for both the LibreChat API and RAG API without adequate scope separation or validation, enabling token reuse across API boundaries. An authenticated attacker with local access can exploit this misconfiguration to access or manipulate resources in the RAG API using credentials intended only for the main LibreChat API. This authentication bypass affects all deployments of LibreChat 0.8.1-rc2, with a proof-of-concept available via the SBA Research advisory (EUVD-2026-12813), though no active KEV exploitation has been reported at this time.

Information Disclosure Librechat
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH This Week

A critical authentication bypass vulnerability exists in LibreChat version 0.8.1-rc2 where the same JWT secret is reused for both user session management and the RAG (Retrieval-Augmented Generation) API authentication. This design flaw allows authenticated users to compromise service-level authentication of the RAG API by leveraging their session tokens to access or manipulate the RAG service beyond intended privileges. No active exploitation (KEV) has been reported, but a detailed security advisory with technical analysis is publicly available from SBA Research.

Authentication Bypass Librechat
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.

Node.js Denial Of Service AI / ML +1
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

LibreChat versions 0.8.2 through 0.8.2-rc3 contain an authentication bypass vulnerability in the Model Context Protocol (MCP) OAuth callback endpoint that allows attackers to steal OAuth tokens by tricking victims into completing an OAuth flow, resulting in account takeover of the victim's MCP-linked services like Atlassian and Outlook. No active exploitation is known (not in KEV), no POC is publicly available, and EPSS data is not yet available for this newly disclosed vulnerability.

Atlassian Authentication Bypass Microsoft +2
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through the MCP stdio transport. A single API request is sufficient for root code execution. PoC available, patch available.

Authentication Bypass AI / ML Librechat
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests to internal networks. By configuring agents with malicious OpenAPI specifications, attackers can scan internal infrastructure and access internal services. PoC available, patch available.

Docker SSRF AI / ML +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. [CVSS 4.3 MEDIUM]

Authentication Bypass AI / ML Librechat
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. [CVSS 7.1 HIGH]

Authentication Bypass AI / ML Librechat
NVD GitHub
EPSS 0% CVSS 8.6
HIGH POC This Week

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Librechat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Month

A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Librechat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 3.1
LOW POC PATCH Monitor

In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Month

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Librechat
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Month

A vulnerability in danny-avila/librechat version git a1647d7 allows an unauthenticated attacker to cause a denial of service by sending a crafted payload to the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC PATCH This Week

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Path Traversal Librechat
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Month

An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Librechat
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Librechat
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC PATCH This Month

In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Librechat
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Librechat
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Librechat
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy