Librechat vulnerabilities
51 known vulnerabilities affecting librechat/librechat.
Total CVEs
51
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH19MEDIUM24LOW1
Vulnerabilities
Page 1 of 3
CVE-2026-22252P2CRITICALCVSS 9.9v0.8.22026-01-12
CVE-2026-22252 [CRITICAL] CWE-285 CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio tr
LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2.
nvd
CVE-2026-32625P2CRITICALCVSS 9.6fixed in 0.8.42026-06-02
CVE-2026-32625 [CRITICAL] CWE-200 CVE-2026-32625: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and in
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can create a malicious MCP server
nvd
CVE-2024-10361P2CRITICALCVSS 9.1v0.7.52025-03-20
CVE-2024-10361 [CRITICAL] CWE-22 CVE-2024-10361: An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifi
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. This vulnerability arises from improper input validation, allowing path traversal techniques to delete arbitrary files on the server. Attackers can exploit this to bypass security mechanisms and delete files outs
nvd
CVE-2025-8850P2HIGHCVSS 8.8v0.7.92025-10-30
CVE-2025-8850 [HIGH] CWE-440 CVE-2025-8850: In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authen
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the
nvd
CVE-2025-69222P2HIGHCVSS 8.1v0.8.12026-01-07
CVE-2025-69222 [HIGH] CWE-918 CVE-2025-69222: LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side r
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF)
vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI
nvd
CVE-2024-11170P2HIGHCVSS 8.8fixed in 0.7.62025-03-20
CVE-2024-11170 [HIGH] CWE-29 CVE-2024-11170: A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improp
A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. This can lead to arbitrary file write and potentially remote code execution. The issue is fixed in version 0.7.6.
nvd
CVE-2026-54030P3CRITICALCVSS 9.3≤ 0.8.4v0.8.5-rc12026-06-25
CVE-2026-54030 [CRITICAL] CWE-346 CVE-2026-54030: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreCha
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata (RFC 9728) matches the configured MCP server URL, allowing a malicious MCP server to steal access tokens intended for a legitimate serv
nvd
CVE-2026-31943P3HIGHCVSS 8.5fixed in 0.8.3v0.8.32026-03-27
CVE-2026-31943 [HIGH] CWE-918 CVE-2026-31943: LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `p
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests to internal network resources — including cloud me
nvd
CVE-2025-66201P3HIGHCVSS 8.1fixed in 0.8.1v0.8.12025-11-29
CVE-2025-66201 [HIGH] CWE-20 CVE-2025-66201: LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vuln
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its "Actions" feature and making the LLM use those actions. It could be used by an authenticated user with access to this feature to access URLs only accessible t
nvd
CVE-2026-54036P3HIGHCVSS 8.1≤ 0.8.32026-06-25
CVE-2026-54036 [HIGH] CWE-306 CVE-2026-54036: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets tw
nvd
CVE-2025-8848P4MEDIUMCVSS 5.4PoCv0.7.92025-10-22
CVE-2025-8848 [MEDIUM] CWE-94 CVE-2025-8848: A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Lang
A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the tag of the response. This can lead to potential security risks such as cross-site scripting (XSS) attacks.
nvd
CVE-2026-44654P3HIGHCVSS 8.1fixed in 0.8.52026-06-02
CVE-2026-44654 [HIGH] CWE-863 CVE-2026-44654: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and in
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally — not just from the shared agent — breaking the owner's other private agent
nvd
CVE-2026-31945P3HIGHCVSS 7.7v0.8.22026-03-27
CVE-2026-31945 [HIGH] CWE-918 CVE-2026-31945: LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerab
LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduce
nvd
CVE-2025-54868P3HIGHCVSS 7.5≥ 0.0.6, < 0.7.82025-08-05
CVE-2025-54868 [HIGH] CWE-285 CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an expos
LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint allows reading arbitrary chats directly from the Meilisearch engine. The endpoint /api/search/test allows for direct access to stored chats in the Meilisearch engine without proper access control. This results in the ability to read
nvd
CVE-2026-33265P3CRITICALCVSS 9.0v0.8.1v0.8.1-rc22026-03-18
CVE-2026-33265 [CRITICAL] CWE-669 CVE-2026-33265: In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.
In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.
nvd
CVE-2025-41258P3HIGHCVSS 8.0v0.8.12026-03-18
CVE-2025-41258 [HIGH] CWE-284 CVE-2025-41258: LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API whic
LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.
nvd
CVE-2024-41703P3CRITICALCVSS 9.8≤ 0.7.3v0.7.42024-07-22
CVE-2024-41703 [CRITICAL] CWE-284 CVE-2024-41703: LibreChat through 0.7.4-rc1 has incorrect access control for message updates.
LibreChat through 0.7.4-rc1 has incorrect access control for message updates.
nvd
CVE-2024-41704P3CRITICALCVSS 9.8≤ 0.7.3v0.7.42024-07-22
CVE-2024-41704 [CRITICAL] CWE-22 CVE-2024-41704: LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images.
LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images.
nvd
CVE-2026-4276P3HIGHCVSS 7.5v0.7.02026-03-16
CVE-2026-4276 [HIGH] CWE-94 CVE-2026-4276: LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to fo
LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.
nvd
CVE-2025-7104P3HIGHCVSS 7.5fixed in 0.7.92025-09-29
CVE-2025-7104 [HIGH] CWE-915 CVE-2025-7104: A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. This vulner
A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. This vulnerability allows attackers to manipulate sensitive fields by automatically binding user-provided data to internal object properties or database fields without proper filtering. As a result, any extra fields in the request body are included in agentData and
nvd
1 / 3Next →