SB2026042784 - Multiple vulnerabilities in LibreChat
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-66450)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in the chat POST handler when processing the user-supplied iconURL parameter. A remote user can send a specially crafted request to disclose sensitive information.
User interaction is required because another user must view a shared chat containing the malicious resource reference.
2) Improper access control (CVE-ID: CVE-2025-66451)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify prompt ownership information and gain unauthorized access to prompts.
The vulnerability exists due to improper access control in the PATCH endpoint for prompt groups (/api/prompts/groups/:groupId) when handling crafted patch requests. A remote user can submit a specially crafted PATCH request with modified author and authorName fields to modify prompt ownership information and gain unauthorized access to prompts.
The issue occurs because the patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields.
Remediation
Install update from vendor's website.