CVE-2026-54033: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users t
highvulnerabilityLLM-Specific
security
Summary
LibreChat, a ChatGPT-like tool that works with multiple AI providers, had a security flaw in versions before 0.8.4-rc1 where authenticated users could configure custom API endpoints without proper validation, potentially allowing them to access internal network addresses through SSRF (server-side request forgery, where a server is tricked into making requests to unintended targets).
Solution / Mitigation
Update LibreChat to version 0.8.4-rc1 or later, where this vulnerability is fixed.
Vulnerability Details
CVSS Score
7.7(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
June 25, 2026
Classification
Attack Type
RAG Poisoning
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
Affected Vendors
OpenAI
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54033
First tracked: June 25, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 85%