{"data":{"id":"b65a3aa6-d3b4-4093-ac47-f43543ee2ce0","title":"CVE-2026-31950: LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoi","summary":"LibreChat (a ChatGPT alternative with extra features) versions 0.8.2-rc2 through 0.8.2-rc3 have a security flaw in the SSE streaming endpoint (a real-time data connection) at `/api/agents/chat/stream/:streamId` that fails to check if a user actually owns a chat stream. This means any logged-in user can guess or obtain another user's stream ID and read their live conversations, including messages and AI responses, without permission.","solution":"Version 0.8.2 patches the issue.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-31950","publishedAt":"2026-03-27T20:16:30.217Z","cveId":"CVE-2026-31950","cweIds":["CWE-284"],"cvssScore":"5.3","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["LibreChat"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"network","attackComplexity":"high","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-27T20:16:30.217Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}