Librechat Security Vulnerabilities (CVEs)

Track 22 security vulnerabilities affecting Librechat products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.

4 Critical

9 High

9 Medium

Sort by:

🔔 Get Alerts for Librechat

CVE-2026-22252 9.1

This critical vulnerability in LibreChat allows authenticated users to execute arbitrary shell commands as root within the container via a single API ...

Jan 12, 2026

CVE-2025-69222 9.1

LibreChat version 0.8.1-rc2 has a server-side request forgery (SSRF) vulnerability in its Actions feature that allows attackers to make unauthorized r...

Jan 7, 2026

CVE-2025-69220 7.1

This vulnerability allows authenticated attackers to modify the behavior of arbitrary LibreChat agents by uploading files to file contexts or file sea...

Jan 7, 2026

CVE-2025-69221 4.3

LibreChat version 0.8.1-rc2 has an improper access control vulnerability where authenticated users can read permissions of arbitrary agents by knowing...

Jan 7, 2026

CVE-2025-66451 6.5

This vulnerability in LibreChat allows authenticated users to modify prompt groups in unintended ways by sending malformed JSON requests to the PATCH ...

Dec 11, 2025

CVE-2025-66452 6.1

LibreChat versions 0.8.0 and below expose user input in JSON parsing error messages, which can be reflected in HTTP responses. This creates a cross-si...

Dec 11, 2025

CVE-2025-66450 5.4

CVE-2025-66450 is a stored cross-site scripting (XSS) vulnerability in LibreChat where attackers can inject malicious code via the iconURL parameter. ...

Dec 11, 2025

CVE-2025-66201 8.1

This Server-side Request Forgery (SSRF) vulnerability in LibreChat allows authenticated users to craft malicious OpenAPI specifications that trick the...

Nov 29, 2025

CVE-2025-8849 7.5

LibreChat 0.7.9 is vulnerable to denial of service attacks through the /api/memories endpoint. Attackers can submit arbitrarily large 'key' or 'value'...

Oct 31, 2025

CVE-2025-8848 5.4

This vulnerability allows HTML injection via crafted Accept-Language headers in librechat version 0.7.9. When exploited, attackers can inject arbitrar...

Oct 22, 2025

CVE-2025-7104 7.5

A mass assignment vulnerability in danny-avila/librechat allows attackers to manipulate sensitive fields by sending extra parameters in requests that ...

Sep 29, 2025

CVE-2025-54868 7.5

LibreChat versions 0.0.6 through 0.7.7-rc1 have an exposed testing endpoint (/api/search/test) that allows unauthorized access to read arbitrary user ...

Aug 5, 2025

CVE-2024-12580 5.3

This CVE describes a log injection vulnerability in LibreChat where unvalidated parameters in download APIs allow attackers to inject malicious conten...

Mar 20, 2025

CVE-2024-11167 5.3

An improper access control vulnerability in LibreChat allows authenticated users to delete other users' prompts by manipulating the groupid parameter....

Mar 20, 2025

CVE-2024-11169 7.5

An unhandled exception in the fs module of danny-avila/librechat allows unauthenticated attackers to crash the server by sending specially crafted fil...

Mar 20, 2025

CVE-2024-11170 8.8

A path traversal vulnerability in danny-avila/librechat allows attackers to write files to arbitrary locations on the server due to improper sanitizat...

Mar 20, 2025

CVE-2024-11171 7.5

This vulnerability allows unauthenticated attackers to crash LibreChat servers by uploading large files, causing denial of service through out-of-memo...

Mar 20, 2025

CVE-2024-11172 7.5

An unauthenticated denial-of-service vulnerability in librechat allows attackers to crash the server by sending a crafted payload. The vulnerability e...

Mar 20, 2025

CVE-2024-11173 6.5

An unhandled exception vulnerability in LibreChat allows attackers to crash the server, causing denial of service. Attackers can exploit this by sendi...

Mar 20, 2025

CVE-2024-10361 9.1

This vulnerability allows attackers to delete arbitrary files on servers running vulnerable versions of LibreChat via path traversal in the /api/files...

Mar 20, 2025

CVE-2024-10366 6.5

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in LibreChat's delete attachments functionality. Authenticated users can d...

Mar 20, 2025

CVE-2024-41703 9.8

LibreChat through version 0.7.4-rc1 has an access control vulnerability that allows unauthorized users to modify messages belonging to other users. Th...

Jul 22, 2024

Why Monitor Librechat Security Vulnerabilities?

Real-time CVE tracking: Our automated system monitors 22+ known vulnerabilities affecting Librechat products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.

Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Librechat packages in under 60 seconds. No agents required - completely agentless scanning that works across Librechat deployments.

Free vulnerability database: Access detailed information about every Librechat CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.

🚀 Get Started in 60 Seconds

Register free account & add your servers
Run one-time scan or schedule automatic monitoring (every 1-24 hours)
Receive instant alerts when new Librechat CVEs affect your systems
Access dashboard with severity breakdown & fix instructions

Start Monitoring Librechat CVEs Free