Main Vulnerability Database Vulnerabilities #VU128110

Improper access control in LibreChat - CVE-2025-66451

Published: April 27, 2026

Vulnerability identifier: #VU128110

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-66451

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LibreChat

Affected software:
LibreChat

Detailed vulnerability description

The vulnerability allows a remote user to modify prompt ownership information and gain unauthorized access to prompts.

The vulnerability exists due to improper access control in the PATCH endpoint for prompt groups (/api/prompts/groups/:groupId) when handling crafted patch requests. A remote user can submit a specially crafted PATCH request with modified author and authorName fields to modify prompt ownership information and gain unauthorized access to prompts.

The issue occurs because the patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields.

How to mitigate CVE-2025-66451

Install security update from vendor's website.

Sources

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vpqq-5qr4-655h

Improper access control in LibreChat - CVE-2025-66451

Detailed vulnerability description

How to mitigate CVE-2025-66451

Sources

Please verify you're human