CVE-2026-54033

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.4-rc1

Description LibreChat allows authenticated users to configure custom OpenAI-compatible API endpoints by setting a baseURL. The application fails to perform Server-Side Request Forgery (SSRF) validation on this URL, lacking private IP checks, scheme restrictions, and DNS pinning. This allows a user to set the baseURL to internal network addresses, potentially enabling requests to be sent to internal systems.

Recommendations Update to version 0.8.4-rc1.