CVE-2026-54029: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages
Summary
LibreChat (a ChatGPT alternative that works with multiple AI services) has a vulnerability in versions before 0.8.4-rc1 where the message deletion API endpoint doesn't properly check ownership, allowing any logged-in user to permanently delete another user's messages by providing their own conversation ID along with someone else's message ID.
Solution / Mitigation
This vulnerability is fixed in version 0.8.4-rc1. Update LibreChat to 0.8.4-rc1 or later.
Vulnerability Details
5.3(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
network
high
low
none
June 25, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54029
First tracked: June 25, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 85%