VYPR

Vendor CVEs

Librechat

All CVEs

43 total · sorted by risk
  • CVE-2026-32625CriJun 2, 2026
    risk 0.55cvss 9.6epss 0.03

    LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP…

  • CVE-2026-4276HigMar 16, 2026
    risk 0.49cvss 7.5epss 0.00

    LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.

  • CVE-2026-31943HigMar 27, 2026
    risk 0.48cvss 8.5epss 0.00

    LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the…

  • CVE-2026-44654HigJun 2, 2026
    risk 0.46cvss 8.1epss 0.00

    LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally…

  • CVE-2026-31942HigJun 2, 2026
    risk 0.39cvss 7.1epss 0.00

    LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys management endpoint (PUT /api/keys). Due to the use of the JavaScript object spread…

  • CVE-2025-7105MedFeb 2, 2026
    risk 0.37cvss 5.7epss 0.00

    A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of…

  • CVE-2026-44653MedJun 2, 2026
    risk 0.35cvss 6.5epss 0.00

    LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET…

  • CVE-2026-34371MedApr 7, 2026
    risk 0.34cvss 6.3epss 0.00

    LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing…

  • CVE-2026-31951Mar 27, 2026
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server…

  • CVE-2026-31950Mar 27, 2026
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint `/api/agents/chat/stream/:streamId` does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream…

  • CVE-2026-31945Mar 27, 2026
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisor…

  • CVE-2026-33265Mar 18, 2026
    risk 0.00cvss epss 0.00

    In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.

  • CVE-2025-41258Mar 18, 2026
    risk 0.00cvss epss 0.00

    LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.

  • CVE-2026-31949Mar 13, 2026
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE…

  • CVE-2026-31944Mar 13, 2026
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the…

  • CVE-2026-22252Jan 12, 2026
    risk 0.00cvss epss 0.04

    LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This…

  • CVE-2025-69222Jan 7, 2026
    risk 0.00cvss epss 0.04

    LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined…

  • CVE-2025-69221Jan 7, 2026
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat…

  • CVE-2025-69220Jan 7, 2026
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by…

  • CVE-2025-66452Dec 11, 2025
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes user input in the error message, which gets reflected in responses. User input (including HTML/JavaScript)…

  • CVE-2025-66451Dec 11, 2025
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not…

  • CVE-2025-66450Dec 11, 2025
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When…

  • CVE-2025-66201Nov 29, 2025
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its "Actions" feature and making the LLM use those actions. It could be used by an…

  • CVE-2025-8849Oct 30, 2025
    risk 0.00cvss epss 0.00

    LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the…

  • CVE-2025-8850Oct 30, 2025
    risk 0.00cvss epss 0.00

    In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs…

  • CVE-2025-8848Oct 22, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in danny-avila/librechat version 0.7.9 allows for HTML injection via the Accept-Language header. When a logged-in user sends an HTTP GET request with a crafted Accept-Language header, arbitrary HTML can be injected into the tag of the response.…

  • CVE-2025-7104Sep 29, 2025
    risk 0.00cvss epss 0.00

    A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. This vulnerability allows attackers to manipulate sensitive fields by automatically binding user-provided data to internal object properties or database fields without proper filtering. As a…

  • CVE-2025-7106Sep 23, 2025
    risk 0.00cvss epss 0.00

    danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. The `checkAccess` function in `api/server/middleware/roles/access.js` uses `permissions.some()` to validate permissions, which incorrectly grants access if only one…

  • CVE-2025-6088Sep 11, 2025
    risk 0.00cvss epss 0.00

    In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to…

  • CVE-2025-54868Aug 5, 2025
    risk 0.00cvss epss 0.00

    LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint allows reading arbitrary chats directly from the Meilisearch engine. The endpoint /api/search/test allows for direct access to stored chats in the Meilisearch…

  • CVE-2024-10359Mar 20, 2025
    risk 0.00cvss epss 0.00

    In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the preset object, causing the preset to…

  • CVE-2024-11173Mar 20, 2025
    risk 0.00cvss epss 0.01

    An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. This issue occurs when certain API endpoints receive malformed input, resulting in an uncaught exception. Although a valid JWT…

  • CVE-2024-10363Mar 20, 2025
    risk 0.00cvss epss 0.00

    In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break application logic and permissions, allowing unauthorized actions.

  • CVE-2024-11171Mar 20, 2025
    risk 0.00cvss epss 0.01

    In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory storage (the default setting for multer), there is no limit on the upload file…

  • CVE-2024-11172Mar 20, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in danny-avila/librechat version git a1647d7 allows an unauthenticated attacker to cause a denial of service by sending a crafted payload to the server. The middleware `checkBan` is not surrounded by a try-catch block, and an unhandled exception will cause the…

  • CVE-2024-11169Mar 20, 2025
    risk 0.00cvss epss 0.01

    An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. The issue occurs when the fs module throws an exception while handling file uploads. An unauthenticated user can trigger this exception by sending a specially crafted request, causing the…

  • CVE-2024-11167Mar 20, 2025
    risk 0.00cvss epss 0.01

    An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. This issue occurs because the endpoint does not verify whether the provided prompt ID belongs to the…

  • CVE-2024-10366Mar 20, 2025
    risk 0.00cvss epss 0.00

    An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete…

  • CVE-2024-12580Mar 20, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. The parameters sessionId, fileId, userId, and file_id in the /code/download/:sessionId/:fileId and /download/:userId/:file_id APIs are not validated or filtered, leading to potential…

  • CVE-2024-10361Mar 20, 2025
    risk 0.00cvss epss 0.01

    An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. This vulnerability arises from improper input validation, allowing path traversal techniques to delete arbitrary files on the server.…

  • CVE-2024-11170Mar 20, 2025
    risk 0.00cvss epss 0.02

    A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. This can lead to arbitrary file write and potentially remote code execution. The issue is fixed in version 0.7.6.

  • CVE-2024-41703Jul 22, 2024
    risk 0.00cvss epss 0.00

    LibreChat through 0.7.4-rc1 has incorrect access control for message updates.

  • CVE-2024-41704Jul 22, 2024
    risk 0.00cvss epss 0.01

    LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images.