SB2026060301 - Multiple vulnerabilities in LibreChat
Published: June 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the markdown artifact preview pipeline when rendering crafted markdown image alt text. A remote user can import a crafted conversation and share a public link to execute arbitrary script in the victim's browser.
User interaction is required to open the shared conversation link.
2) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information from internal network resources.
The vulnerability exists due to server-side request forgery (SSRF) in user-configured API endpoint baseURL handling when constructing HTTP requests from a user-supplied baseURL. A remote user can set a crafted baseURL pointing to an internal address to disclose sensitive information from internal network resources.
The configured API key may be forwarded in the Authorization header to the target endpoint.
3) Information disclosure (CVE-ID: CVE-2026-32625)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information and compromise integrity.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in the MCP server URL validation and inspection workflow when handling authenticated MCP server creation requests with crafted URL placeholders. A remote user can submit a malicious MCP server configuration that injects environment variable references into the URL to disclose sensitive information and compromise integrity.
The server immediately connects to the resolved external URL during inspection, which can expose secrets such as cryptographic keys, token signing material, and database connection strings.
4) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the conversation import multer instance for the POST /api/convos/import endpoint when handling uploaded conversation import files. A remote user can upload an arbitrarily large file to cause a denial of service.
The application-level size check is disabled by default when the related environment variable is unset, and the uploaded file is written to disk before being fully read into memory and parsed.
5) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the /api/convos/duplicate endpoint when handling rapid conversation duplication requests. A remote user can send a series of crafted requests to cause a denial of service.
The vulnerable endpoint performs expensive database read and batch-write operations equivalent to conversation forking, and exploitation can degrade service for other users on the same instance.
6) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete arbitrary messages.
The vulnerability exists due to improper access control in the DELETE /api/messages/:conversationId/:messageId endpoint when handling crafted delete requests. A remote user can supply a valid conversationId they own and a victim's messageId to delete arbitrary messages.
Successful exploitation requires knowledge of the target messageId, and deleted messages are permanently removed rather than soft-deleted.
7) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify another user's agent resources.
The vulnerability exists due to improper access control in the POST /api/files/images endpoint when handling image upload requests for agent tool_resources. A remote user can upload a file to another user's agent to modify another user's agent resources.
The issue affects uploads where the request targets an agent_id and tool_resource and the upload is processed as a non-message attachment.
8) Missing Authentication for Critical Function (CVE-ID: N/A)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to take over two-factor authentication for an account.
The vulnerability exists due to missing authentication for a critical function in the GET /api/auth/2fa/enable endpoint when handling requests for accounts with 2FA already enabled. A remote user can call the endpoint with a valid session token to take over two-factor authentication for an account.
The issue overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false without requiring TOTP or backup code verification.
9) Missing Authentication for Critical Function (CVE-ID: N/A)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass two-factor authentication and disable two-factor authentication.
The vulnerability exists due to missing authentication for a critical function in the POST /api/auth/2fa/backup/regenerate endpoint when handling requests to regenerate backup codes. A remote user can send a crafted authenticated request using a stolen session token to bypass two-factor authentication and disable two-factor authentication.
The endpoint also returns newly generated plaintext backup codes and their hashes in the response.
Remediation
Install update from vendor's website.
References
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-3phr-62qf-cxf3
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-4pcc-j6m6-wcwx
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-52f6-fqwv-jccf
- https://huntr.com/bounties/91717a5a-d653-4e35-b186-9e8d00aa4285
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-g445-9wq6-jf3v
- https://github.com/danny-avila/librechat/commit/97a99985fa339db0a21ad63604e0bb8db4442ffc
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-8892-xj8q-59xc
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-c55r-p24w-hcj5
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-45fp-6q26-wfgq
- https://github.com/danny-avila/LibreChat/commit/7e4c8a5d0
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-h59w-x9h4-m6gv