CVE-2026-54027

Source
https://cve.org/CVERecord?id=CVE-2026-54027
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54027.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54027
Aliases
  • GHSA-c55r-p24w-hcj5
Published
2026-06-25T15:52:02.234Z
Modified
2026-07-15T01:49:09.931526303Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
LibreChat: Image Upload Route Bypasses Agent Permission Check — Incomplete Fix for File Upload Authorization
Details

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files into any agent's toolresources (e.g., context, executecode) without verifying ownership or EDIT permission on the target agent. A permission check was added to the POST /api/files route in a previous patch, but the image upload route was never updated with the same check. An attacker can simply use the image endpoint instead of the file endpoint to bypass the authorization entirely. This vulnerability is fixed in 0.8.4-rc1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54027.json",
    "cwe_ids": [
        "CWE-862"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/danny-avila/librechat

Affected ranges

Type
GIT
Repo
https://github.com/danny-avila/librechat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.4-rc1"
        },
        {
            "last_affected": "0.8.3"
        }
    ]
}

Affected versions

chart-1.*
chart-1.9.0
chart-1.9.1
chart-1.9.2
chart-1.9.3
chart-1.9.4
chart-1.9.5
chart-1.9.6
chart-1.9.7
chart-1.9.8
chart-1.9.9
chart-2.*
chart-2.0.0
chart-2.0.1
librechat-1.*
librechat-1.8.9
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.6
v0.1.0
v0.1.1
v0.2.0
v0.3.0
v0.3.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.10
v0.6.5
v0.6.6
v0.6.9
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.3-rc
v0.7.3-rc2
v0.7.4
v0.7.4-rc1
v0.7.5
v0.7.5-rc1
v0.7.5-rc2
v0.7.6
v0.7.6-rc1
v0.7.7
v0.7.7-rc1
v0.7.8
v0.7.8-rc1
v0.7.9
v0.7.9-rc1
v0.8.0
v0.8.0-rc1
v0.8.0-rc2
v0.8.0-rc3
v0.8.0-rc4
v0.8.1
v0.8.1-rc1
v0.8.1-rc2
v0.8.2
v0.8.2-rc1
v0.8.2-rc2
v0.8.2-rc3
v0.8.3
v0.8.3-rc1
v0.8.3-rc2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54027.json"