CVE-2025-6088

Name of the Vulnerable Software and Affected Versions: danny-avila/librechat version 0.7.8

Description: Improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Conversation IDs, while generated server-side as UUIDv4, can be obtained from sources like server-side access logs, browser history, or screenshots. Exploitation involves accessing the /api/share/conversationID endpoint without proper authorization checks, granting read-only access to another user's conversations.

Recommendations: Update to version 0.7.9-rc1 or later.