โ† Back to Dashboard

CVE-2026-44654

HIGH NVD
CVSS Score
8.1
Severity
HIGH
Source
NVD
Published
Jun 02, 2026
Description

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally โ€” not just from the shared agent โ€” breaking the owner's other private agents that reference the same `file_id`. The private agent retains a stale `file_id` reference that no longer resolves. A shared-agent editor can destroy files that the owner uses across multiple agents. The owner's private agents โ€” which the attacker has no access to โ€” break silently with stale `file_id` references. This is a cross-agent integrity violation: editing access to one agent should not affect another. Version 0.8.4 contains a patch.

View Full Details โ† Back