Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally — not just from the shared agent — breaking the owner's other private agents that reference the same `file_id`. The private agent retains a stale `file_id` reference that no longer resolves. A shared-agent editor can destroy files that the owner uses across multiple agents. The owner's private agents — which the attacker has no access to — break silently with stale `file_id` references. This is a cross-agent integrity violation: editing access to one agent should not affect another. Version 0.8.4 contains a patch.
Published: 2026-06-02
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in LibreChat up to version 0.8.3. A shared‑agent editor can delete file records via the DELETE /api/files endpoint. Because the file records are globally shared, deleting them removes the file for all agents that reference it, not just the shared agent. This violates cross‑agent integrity: the private agents owned by the file’s owner lose a valid file_id and silently break. The weakness is an authorization flaw—CWE‑863—allowing an editor to affect resources outside its intended scope.

Affected Systems

danny‑avila: LibreChat releases up to and including 0.8.3 are impacted. Users running these versions on any operating system with the web API exposed are affected. The upgrade to 0.8.4 contains the fix.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity. The EPSS score is not available, making the current exploitation probability uncertain. The vulnerability is not listed in the CISA KEV catalog. Likely attack involves an authenticated user with shared‑agent editing rights performing a DELETE request via the API or web interface, which will delete files that other private agents rely on. Because the attack relies on existing permissions, the risk is moderate but it can silently disrupt multiple agents without user awareness.

Generated by OpenCVE AI on June 3, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreChat to version 0.8.4 or later to apply the vendor fix.
  • If an immediate upgrade is not possible, limit delete permissions for shared‑agent editors or temporarily remove the DELETE /api/files endpoint for those users.
  • Configure monitoring or alerts to detect when private agents receive stale or missing file_id references and address them promptly.

Generated by OpenCVE AI on June 3, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Danny-avila
Danny-avila libre Chat
Vendors & Products Danny-avila
Danny-avila libre Chat

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally — not just from the shared agent — breaking the owner's other private agents that reference the same `file_id`. The private agent retains a stale `file_id` reference that no longer resolves. A shared-agent editor can destroy files that the owner uses across multiple agents. The owner's private agents — which the attacker has no access to — break silently with stale `file_id` references. This is a cross-agent integrity violation: editing access to one agent should not affect another. Version 0.8.4 contains a patch.
Title LibreChat: Shared-agent editor can globally delete owner's file records — breaks owner's other private agents
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Danny-avila Libre Chat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T13:12:00.527Z

Reserved: 2026-05-07T15:30:10.876Z

Link: CVE-2026-44654

cve-icon Vulnrichment

Updated: 2026-06-03T13:11:57.227Z

cve-icon NVD

Status : Received

Published: 2026-06-02T23:16:38.260

Modified: 2026-06-03T14:16:43.850

Link: CVE-2026-44654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:15:24Z

Weaknesses