librechat

Top products

The 15 most recently published vulnerabilities affecting librechat.

• CVE-2026-44654LibreChat: Shared-agent editor can globally delete owner's file records — breaks owner's other private agents8.1Jun 2, 2026
• CVE-2026-44653LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets6.5Jun 2, 2026
• CVE-2026-32625LibreChat Exfiltrates Server Secrets via MCP Server URL Injection9.6Jun 2, 2026
• CVE-2026-31942LibreChat has IDOR in API Keys Management that allows any authenticated user to overwrite other users' API keys7.1Jun 2, 2026
• CVE-2026-34371LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal6.3Apr 7, 2026
• CVE-2026-31951LibreChat's MCP Server Header Injection Enables OAuth Token Theft6.8Mar 27, 2026
• CVE-2026-31950LibreChat's IDOR in SSE Stream Subscription Allows Reading Other Users' Chats5.3Mar 27, 2026
• CVE-2026-31945LibreChat Server-Side Request Forgery using DNS resolution7.7Mar 27, 2026
• CVE-2026-31943LibreChat has SSRF protection bypass via IPv4-mapped IPv6 normalization in isPrivateIP8.5Mar 27, 2026
• CVE-2026-33265In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.6.3Mar 18, 2026
• CVE-2025-41258LibreChat RAG API Authentication Bypass8.0Mar 18, 2026
• CVE-2026-4276LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.7.5Mar 16, 2026
• CVE-2026-31949LibreChat Denial of Service (DoS) via Unhandled Exception in DELETE /api/convos6.5Mar 13, 2026
• CVE-2026-31944LibreChat MCP OAuth callback does not validate browser session — allows token theft via redirect link7.6Mar 13, 2026
• CVE-2026-22252LibreChat MCP Stdio Remote Command Execution9.1Jan 12, 2026