AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-54024: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2024-111

mediumvulnerability

security

Source: NVD/CVE DatabaseJune 25, 2026CVE-2026-54024

Summary

LibreChat is a ChatGPT-like application that works with multiple AI providers. Before version 0.8.4-rc1, a file upload endpoint called POST /api/convos/import didn't have proper file size restrictions, allowing logged-in users to upload very large files that could fill up a server's storage and memory. A previous security fix added size limits to other file uploads but missed this endpoint.

Solution / Mitigation

Upgrade to LibreChat version 0.8.4-rc1 or later, which fixes this vulnerability.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

June 25, 2026

Classification

Attack Type

DoS

Attack SophisticationTrivial

Impact (CIA+S)

availability

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-770

CAPEC (Attack Pattern)

CAPEC-130

Affected Vendors

LangChain

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendor

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54024

First tracked: June 25, 2026 at 02:11 PM

Classified by LLM (prompt v3) · confidence: 85%