Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

LibreChat — Vulnerabilities & Security Advisories 22

All 22 CVE vulnerabilities found in LibreChat, with AI-generated Chinese analysis, references, and POCs.

This page documents known vulnerabilities for LibreChat, an open-source AI chat interface that aggregates multiple chatbot models into a single unified platform. It serves as a centralized resource for tracking security weaknesses specifically affecting this software application and its underlying infrastructure components. The content herein collects data regarding various security flaws, including but not limited to authentication bypasses, injection attacks, and information disclosure issues, covering reported incidents from the initial release phase through recent updates. Readers can utilize this aggregation to track vendor advisories related to LibreChat, thereby staying informed about critical patches and mitigation strategies. Furthermore, users can gain a deeper understanding of specific weakness classes that frequently impact AI-driven chat applications, helping them assess potential risks within their deployment environments. By examining the historical record, administrators can look up the product’s vulnerability history to identify patterns in security incidents and evaluate the effectiveness of past remediation efforts. This comprehensive overview supports informed decision-making for security teams responsible for maintaining the integrity of LibreChat installations, ensuring that stakeholders have access to accurate and timely information regarding the software’s security posture without needing to sift through fragmented sources across multiple channels.

Vendor: danny-avila

CVE IDTitleCVSSSeverityPublished
CVE-2026-44654 LibreChat: Shared-agent editor can globally delete owner's file records — breaks owner's other private agents CWE-863--2026-06-02
CVE-2026-44653 LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets CWE-201 6.5 Medium2026-06-02
CVE-2026-32625 LibreChat Exfiltrates Server Secrets via MCP Server URL Injection CWE-200 9.6 Critical2026-06-02
CVE-2026-31942 LibreChat has IDOR in API Keys Management that allows any authenticated user to overwrite other users' API keys CWE-862 7.1 High2026-06-02
CVE-2026-34371 LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal CWE-22 6.3 Medium2026-04-07
CVE-2026-31951 LibreChat's MCP Server Header Injection Enables OAuth Token Theft CWE-200 6.8 Medium2026-03-27
CVE-2026-31950 LibreChat's IDOR in SSE Stream Subscription Allows Reading Other Users' Chats CWE-284 5.3 Medium2026-03-27
CVE-2026-31945 LibreChat Server-Side Request Forgery using DNS resolution CWE-918 7.7 High2026-03-27
CVE-2026-31943 LibreChat has SSRF protection bypass via IPv4-mapped IPv6 normalization in isPrivateIP CWE-918 8.5 High2026-03-27
CVE-2026-33265 LibreChat 安全漏洞 CWE-669 6.3 Medium2026-03-18
CVE-2025-41258 LibreChat RAG API Authentication Bypass CWE-284 8.0 High2026-03-18
CVE-2026-31949 LibreChat Denial of Service (DoS) via Unhandled Exception in DELETE /api/convos CWE-248 6.5 Medium2026-03-13
CVE-2026-31944 LibreChat MCP OAuth callback does not validate browser session — allows token theft via redirect link CWE-306 7.6 High2026-03-13
CVE-2026-22252 LibreChat MCP Stdio Remote Command Execution CWE-285 9.1 Critical2026-01-12
CVE-2025-69222 LibreChat is vulnerable to Server-Side Request Forgery due to missing restrictions CWE-918 9.1 Critical2026-01-07
CVE-2025-69221 LibreChat has Insufficient Access Control for Agent Permission Queries CWE-862 4.3 Medium2026-01-07
CVE-2025-69220 LibreChat has Insufficient Access Control for Agent Files CWE-862 7.1 High2026-01-07
CVE-2025-66452 LibreChat's lack of JSON parsing error handling can lead to XSS CWE-79 6.1AIMediumAI2025-12-11
CVE-2025-66451 LibreChat's Improper Input Validation in Prompt Creation API Enables Unauthorized Permission Changes CWE-20 4.3AIMediumAI2025-12-11
CVE-2025-66450 LibreChat JSON Injection in Chat POST Allows Remote Resource Inclusion and PXSS via Image Upload CWE-80 6.3AIMediumAI2025-12-11
CVE-2025-66201 LibreChat is Vulnerable to Server-Side Request Forgery (SSRF) in Actions Capability CWE-20 8.1 -2025-11-29
CVE-2025-54868 LibreChat exposes arbitrary chats through Meilisearch engine CWE-285 7.5 High2025-08-05

All 22 known CVE vulnerabilities affecting LibreChat with full Chinese analysis, references, and POCs where available.