Main Vulnerability Database Vulnerabilities #VU128106

Missing Authorization in LibreChat - CVE-2025-69221

Published: April 27, 2026

Vulnerability identifier: #VU128106

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-69221

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LibreChat

Affected software:
LibreChat

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in the agent permission query endpoint when querying agent permissions by agent ID. A remote user can send a crafted request for an arbitrary agent ID to disclose sensitive information.

The exposed data can include individually assigned permissions for other users, and exploitation requires knowledge of the target agent ID.

How to mitigate CVE-2025-69221

Install security update from vendor's website.

Sources

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5ccx-4r3h-9qc7

Missing Authorization in LibreChat - CVE-2025-69221

Detailed vulnerability description

How to mitigate CVE-2025-69221

Sources

Please verify you're human