CVE-2024-11167

Name of the Vulnerable Software and Affected Versions danny-avila/librechat versions prior to 0.7.6

Description The issue is related to improper access control, allowing authenticated users to delete other users' prompts. This occurs because the endpoint does not verify whether the provided prompt ID belongs to the current user, specifically via the groupid parameter.

Recommendations For versions prior to 0.7.6, update to version 0.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the endpoint that handles prompt deletion to prevent unauthorized modifications. Avoid using the groupid parameter in the affected endpoint until the issue is resolved.