CVE-2026-54027: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/imag
Summary
LibreChat, a ChatGPT-like application that works with multiple AI providers, has a vulnerability in its image upload feature (the POST /api/files/images endpoint) that allows any logged-in user to upload files to another user's agent tools without permission. The developers had previously added permission checks to a file upload route, but forgot to add the same checks to the image upload route, making it easy for attackers to bypass the security by using images instead of regular files. This issue is fixed in version 0.8.4-rc1.
Solution / Mitigation
Update LibreChat to version 0.8.4-rc1 or later.
Vulnerability Details
6.5(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
network
low
low
none
June 25, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54027
First tracked: June 25, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 85%