Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files into any agent's tool_resources (e.g., context, execute_code) without verifying ownership or EDIT permission on the target agent. A permission check was added to the POST /api/files route in a previous patch, but the image upload route was never updated with the same check. An attacker can simply use the image endpoint instead of the file endpoint to bypass the authorization entirely. This vulnerability is fixed in 0.8.4-rc1.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreChat allows any authenticated user to upload files through the /api/files/images endpoint without verifying permission on the target agent. The missing authorization check means a user can place malicious or arbitrary files into an agent's tool_resources, potentially altering the agent's behavior or enabling further attacks. This flaw is classified as an Authorization Bypass vulnerability (CWE-862).

Affected Systems

The vulnerability affects the LibreChat application developed by danny-avila. Any deployment running a version earlier than 0.8.4-rc1 is susceptible, as the fix that added permission checks to the generic file upload endpoint was never applied to the image upload route.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Since the EPSS score is not available and the issue is not listed in the CISA KEV, the public exploitation probability is unclear, yet the flaw can be leveraged by any authenticated user. An attacker can use the image upload endpoint to bypass necessary checks and place files that an agent will later consume, potentially leading to data leakage or execution of malicious code within the agent's environment. The ease of use of the HTTP endpoint means exploitation requires minimal expertise beyond legitimate authentication credentials.

Generated by OpenCVE AI on June 25, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreChat to version 0.8.4-rc1 or later, which contains the missing permission check for image uploads.
  • If an immediate upgrade is not possible, limit access to the /api/files/images endpoint to users with administrative privileges by applying network or application‑level access controls.
  • Implement custom middleware that verifies agent ownership and EDIT permission before accepting any file upload through any endpoint.

Generated by OpenCVE AI on June 25, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files into any agent's tool_resources (e.g., context, execute_code) without verifying ownership or EDIT permission on the target agent. A permission check was added to the POST /api/files route in a previous patch, but the image upload route was never updated with the same check. An attacker can simply use the image endpoint instead of the file endpoint to bypass the authorization entirely. This vulnerability is fixed in 0.8.4-rc1.
Title LibreChat: Image Upload Route Bypasses Agent Permission Check — Incomplete Fix for File Upload Authorization
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:52:02.234Z

Reserved: 2026-06-11T16:57:50.018Z

Link: CVE-2026-54027

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T17:30:05Z

Weaknesses