cbcvebase.

Danny-Avila Librechat vulnerabilities

30 known vulnerabilities affecting danny-avila/librechat.

Total CVEs
30
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH12MEDIUM14

Vulnerabilities

Page 2 of 2
CVE-2026-34371P3MEDIUMCVSS 6.3fixed in 0.8.42026-04-07
CVE-2026-34371 [MEDIUM] CWE-22 CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name fie LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) i
nvd
CVE-2026-31949P3MEDIUMCVSS 6.5fixed in 0.8.3-rc12026-03-13
CVE-2026-31949 [MEDIUM] CWE-248 CVE-2026-31949: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler attempts to destructure req.body.arg without validat
nvd
CVE-2025-69220P3MEDIUMCVSS 5.9v>= 0.8.1-rc2, < 0.8.2-rc22026-01-07
CVE-2025-69220 [MEDIUM] CWE-284 CVE-2025-69220: LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper acc LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no p
nvd
CVE-2026-31951P4MEDIUMCVSS 5.7v>= v0.8.2-rc1, <= v0.8.3-rc12026-03-27
CVE-2026-31951 [MEDIUM] CWE-200 CVE-2026-31951: LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others),
nvd
CVE-2026-31950P4MEDIUMCVSS 5.3v>= 0.8.2-rc2, < 0.8.22026-03-27
CVE-2026-31950 [MEDIUM] CWE-284 CVE-2026-31950: LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint `/api/agents/chat/stream/:streamId` does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and read another user's real-time chat content, including
nvd
CVE-2026-54025P4MEDIUMCVSS 5.4fixed in 0.8.4-rc12026-06-25
CVE-2026-54025 [MEDIUM] CWE-79 CVE-2026-54025: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, ther LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls through to the default renderer. LibreChat's generateMarkdow
nvd
CVE-2025-66450P4MEDIUMCVSS 5.4fixed in 0.8.12025-12-11
CVE-2025-66450 [MEDIUM] CWE-80 CVE-2025-66450: LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user post LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats with a potentially malicious “tracker”, resources loaded c
nvd
CVE-2025-7105P4MEDIUMCVSS 5.7fixed in 0.8.4-rc12026-02-02
CVE-2025-7105 [MEDIUM] CWE-400 CVE-2025-7105: A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of memory error upon service restart, causing a denial of service. This issue affec
nvd
CVE-2025-69221P4MEDIUMCVSS 4.3fixed in 0.8.1-rc22026-01-07
CVE-2025-69221 [MEDIUM] CWE-284 CVE-2025-69221: LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper acc LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructio
nvd
CVE-2025-66452P4MEDIUMCVSS 6.1≤ 0.8.12025-12-11
CVE-2025-66452 [MEDIUM] CWE-79 CVE-2025-66452: LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no hand LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes user input in the error message, which gets reflected in responses. User input (including HTML/JavaScript) can be exposed in error responses, creating an XSS risk if Content-Type isn
nvd
Danny-Avila Librechat vulnerabilities | cvebase