danny-avila/librechat
Moderate fix1 remedy
cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*
Moderate fix1 remedy
- < 0.7.6
LibreChat Improper Access Control Vulnerability Allowing Prompt Deletion
Vulnerability
Patched
A vulnerability exists in LibreChat versions prior to 0.7.6, allowing authenticated users to delete prompts belonging to other users. This issue arises because the application fails to verify if the prompt ID being deleted belongs to the user making the request. The vulnerability is exploited through the group ID parameter.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of user prompts, potentially leading to data loss.
Reproduction
To reproduce this vulnerability, first create two user accounts, User A and User B. Have User A create prompts and note their IDs. Then, log into User B's account and send a delete request for the prompts created by User A, using the prompt IDs in the request.
Remediation
Users are advised to update to LibreChat version 0.7.6 or later, where this vulnerability has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
1.4impact
0.6exploitability
9.1remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.