SB2026042783 - Multiple vulnerabilities in LibreChat
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-22252)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary shell commands as root inside the container.
The vulnerability exists due to improper input validation in the MCP stdio transport when handling crafted API requests for MCP server creation. A remote privileged user can send a specially crafted HTTP request with an arbitrary command to execute arbitrary shell commands as root inside the container.
The issue works on the default installation and is triggered during MCP server creation during inspection.
2) Missing Authorization (CVE-ID: CVE-2025-69221)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the agent permission query endpoint when querying agent permissions by agent ID. A remote user can send a crafted request for an arbitrary agent ID to disclose sensitive information.
The exposed data can include individually assigned permissions for other users, and exploitation requires knowledge of the target agent ID.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-69222)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to interact with arbitrary third-party HTTP services and access internal services.
The vulnerability exists due to server-side request forgery in the Actions feature when processing user-supplied OpenAPI specifications in the default configuration. A remote user can define crafted action specifications and send requests to arbitrary HTTP services to interact with arbitrary third-party HTTP services and access internal services.
In the default Docker Compose setup, this can expose the internal RAG API and allow requests with arbitrary HTTP methods, parameters, and headers.
4) Missing Authorization (CVE-ID: CVE-2025-69220)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify arbitrary agents.
The vulnerability exists due to missing authorization in the agent file upload functionality when uploading files to an agent's file context or file search. A remote user can upload a file for an agent they do not have permission to edit to modify arbitrary agents.
Exploitation requires knowledge of the target agent ID.
Remediation
Install update from vendor's website.
References
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5ccx-4r3h-9qc7
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59