7.1

CVE-2025-69220

Medienbericht

Exploit

EPSS 0.03%
Veröffentlicht 07.01.2026 20:49:00
Zuletzt bearbeitet 15.01.2026 21:44:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Librechat ≫ Librechat Version0.8.1 Update-

Librechat ≫ Librechat Version0.8.1 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.093

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	7.1	1.8	4.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.sba-research.org/2026/01/08/sba-security-advisory-librechat-insufficient-access-control-on-agent-files-cve-2025-69220/

Medienbericht

SBA Research

08.01.2026 10:23

https://cwe.mitre.org/data/definitions/284.html

Not Applicable

https://cwe.mitre.org/data/definitions/862.html

Not Applicable

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59

Vendor Advisory

Exploit

https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237

Patch

https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2

Release Notes

https://owasp.org/Top10/A01_2021-Broken_Access_Control

Not Applicable

https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html

Technical Description

https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2025-69220

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-69220

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-69220

EUVD