PT-2026-26054 · Librechat · Librechat
Lisa Gnedt
+1
·
Published
2026-03-18
·
Updated
2026-03-18
·
CVE-2026-33265
CVSS v3.1
9.0
Critical
| Vector | AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LibreChat version 0.8.1-rc2
Description
A logged-in user can obtain a JWT (JSON Web Token) for both the LibreChat API and the RAG API. This allows access to both APIs with the user's credentials. The JWT token can be abused.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Librechat