{"data":{"id":"e868da28-9f27-40df-b4d8-c8377b556876","title":"CVE-2026-44653: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users","summary":"LibreChat, a ChatGPT-like application supporting multiple AI providers, has a vulnerability in versions up to 0.8.3 where users with limited VIEW access can retrieve encrypted admin passwords and API keys through specific API endpoints, exposing credentials that should remain secret. This happens because the API returns plaintext sensitive values instead of hiding them from non-admin users.","solution":"Version 0.8.4 contains a patch. The source also recommends these additional approaches: never return decrypted admin-managed secrets to non-owners; redact apiKey.key and oauth.client_secret from all API responses; consider returning only boolean presence indicators for secrets (true/false flags showing whether a secret exists, similar to the auth-values route pattern); and if owners need to edit configs without re-entering secrets, preserve secrets server-side and return placeholders instead of plaintext values.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-44653","publishedAt":"2026-06-02T23:16:38.123Z","cveId":"CVE-2026-44653","cweIds":["CWE-201"],"cvssScore":"6.5","cvssSeverity":"medium","severity":"medium","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LibreChat"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-02T23:16:38.123Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}