CVE-2024-10366

Name of the Vulnerable Software and Affected Versions danny-avila/librechat version v0.7.5-rc2

Description An improper access control vulnerability exists in the delete attachments functionality. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.

Recommendations For version v0.7.5-rc2, consider restricting access to the delete attachments functionality until a patch is available, ensuring that only authorized users can delete attachments. As a temporary workaround, modify the endpoint to verify the ownership of the attachment ID before allowing deletion.