Danny Avila

**Name of the Vulnerable Software and Affected Versions** LibreChat versions prior to 0.8.3-rc1 **Description** An Insecure Direct Object Reference (IDOR) exists in the 'PUT /api/keys' endpoint. Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, an authenticated user can inject a `userId` parameter in the request body to overwrite the API keys of another user. This allows an attacker to replace a victim's API key configuration for providers such as OpenAI, Anthropic, or Azure, which could route conversations through attacker-controlled keys or cause a denial of service by providing invalid keys. **Recommendations** Update to version 0.8.3-rc1.