cbcvebase.

Danny-Avila Librechat vulnerabilities

30 known vulnerabilities affecting danny-avila/librechat.

Total CVEs
30
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH12MEDIUM14

Vulnerabilities

Page 1 of 2
CVE-2026-22252P2CRITICALCVSS 9.9fixed in v0.8.2-rc22026-01-12
CVE-2026-22252 [CRITICAL] CWE-285 CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio tr LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2.
nvd
CVE-2026-32625P2CRITICALCVSS 9.6fixed in 0.8.4-rc12026-06-02
CVE-2026-32625 [CRITICAL] CWE-200 CVE-2026-32625: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and in LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can create a malicious MCP server
nvd
CVE-2025-69222P2HIGHCVSS 8.1v>= 0.8.1-rc2, 0.8.2-rc22026-01-07
CVE-2025-69222 [HIGH] CWE-918 CVE-2025-69222: LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side r LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI
nvd
CVE-2026-54030P3CRITICALCVSS 9.3fixed in 0.8.52026-06-25
CVE-2026-54030 [CRITICAL] CWE-346 CVE-2026-54030: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreCha LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata (RFC 9728) matches the configured MCP server URL, allowing a malicious MCP server to steal access tokens intended for a legitimate serv
nvd
CVE-2026-31943P3HIGHCVSS 8.5fixed in 0.8.32026-03-27
CVE-2026-31943 [HIGH] CWE-918 CVE-2026-31943: LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `p LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests to internal network resources — including cloud me
nvd
CVE-2025-66201P3HIGHCVSS 8.1fixed in 0.8.1-rc22025-11-29
CVE-2025-66201 [HIGH] CWE-20 CVE-2025-66201: LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vuln LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its "Actions" feature and making the LLM use those actions. It could be used by an authenticated user with access to this feature to access URLs only accessible t
nvd
CVE-2026-54036P3HIGHCVSS 8.1fixed in 0.8.4-rc12026-06-25
CVE-2026-54036 [HIGH] CWE-306 CVE-2026-54036: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets tw
nvd
CVE-2026-44654P3HIGHCVSS 8.1fixed in 0.8.52026-06-02
CVE-2026-44654 [HIGH] CWE-863 CVE-2026-44654: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and in LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally — not just from the shared agent — breaking the owner's other private agent
nvd
CVE-2026-31945P3HIGHCVSS 7.7v>= 0.8.2-rc2, < 0.8.3-rc12026-03-27
CVE-2026-31945 [HIGH] CWE-918 CVE-2026-31945: LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerab LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduce
nvd
CVE-2025-54868P3HIGHCVSS 7.5v>= 0.0.6, < 0.7.72025-08-05
CVE-2025-54868 [HIGH] CWE-285 CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an expos LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint allows reading arbitrary chats directly from the Meilisearch engine. The endpoint /api/search/test allows for direct access to stored chats in the Meilisearch engine without proper access control. This results in the ability to read
nvd
CVE-2025-41258P3HIGHCVSS 8.0v0.8.1-rc22026-03-18
CVE-2025-41258 [HIGH] CWE-284 CVE-2025-41258: LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API whic LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.
nvd
CVE-2024-41703P3CRITICALCVSS 9.8fixed in 0.8.4-rc12024-07-22
CVE-2024-41703 [CRITICAL] CWE-284 CVE-2024-41703: LibreChat through 0.7.4-rc1 has incorrect access control for message updates. LibreChat through 0.7.4-rc1 has incorrect access control for message updates.
nvd
CVE-2026-31944P3HIGHCVSS 7.6v>= v0.8.2, <= 0.8.2-rc32026-03-13
CVE-2026-31944 [HIGH] CWE-306 CVE-2026-31944: LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Conte LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redirect URL is logged in or that the logged-in user matches
nvd
CVE-2026-54027P3MEDIUMCVSS 6.5fixed in 0.8.4-rc12026-06-25
CVE-2026-54027 [MEDIUM] CWE-862 CVE-2026-54027: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files into any agent's tool_resources (e.g., context, execute_code) without verifying ownership or EDIT permission on the target agent. A permission check was added to the POST /ap
nvd
CVE-2026-54040P3HIGHCVSS 7.1fixed in 0.8.4-rc12026-06-25
CVE-2026-54040 [HIGH] CWE-306 CVE-2026-54040: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can silently replace a victim's backup codes and use them to byp
nvd
CVE-2026-31942P3HIGHCVSS 7.1fixed in 0.8.3-rc12026-06-02
CVE-2026-31942 [HIGH] CWE-862 CVE-2026-31942: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and in LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys management endpoint (PUT /api/keys). Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, any authenticated user
nvd
CVE-2026-44653P3MEDIUMCVSS 6.5fixed in 0.8.42026-06-02
CVE-2026-44653 [MEDIUM] CWE-201 CVE-2026-44653: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and in LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.ke
nvd
CVE-2024-11171P3HIGHCVSS 7.5fixed in 0.8.4-rc12025-03-20
CVE-2024-11171 [HIGH] CWE-770 CVE-2024-11171: In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. T In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory storage (the default setting for multer), there is no limit on the upload file size. This can lead to a server crash due to out-of-memory errors when handlin
nvd
CVE-2025-66451P3MEDIUMCVSS 6.5fixed in 0.8.12025-12-11
CVE-2025-66451 [MEDIUM] CWE-20 CVE-2025-66451: LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating pr LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not sufficiently validated for proper input, enabling users to modify prompts in a way t
nvd
CVE-2026-54033P3MEDIUMCVSS 6.5fixed in 0.8.4-rc12026-06-25
CVE-2026-54033 [MEDIUM] CWE-918 CVE-2026-54033: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, Libr LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests without any SSRF validation — no private IP check, no scheme restriction, no DNS pinning. An authenticated user ca
nvd
Danny-Avila Librechat vulnerabilities | cvebase