SB2026042784 - Multiple vulnerabilities in LibreChat



SB2026042784 - Multiple vulnerabilities in LibreChat

Published: April 27, 2026

Security Bulletin ID SB2026042784
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2025-66450)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in the chat POST handler when processing the user-supplied iconURL parameter. A remote user can send a specially crafted request to disclose sensitive information.

User interaction is required because another user must view a shared chat containing the malicious resource reference.


2) Improper access control (CVE-ID: CVE-2025-66451)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify prompt ownership information and gain unauthorized access to prompts.

The vulnerability exists due to improper access control in the PATCH endpoint for prompt groups (/api/prompts/groups/:groupId) when handling crafted patch requests. A remote user can submit a specially crafted PATCH request with modified author and authorName fields to modify prompt ownership information and gain unauthorized access to prompts.

The issue occurs because the patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields.


Remediation

Install update from vendor's website.