CVE-2025-69220 in LibreChat
Summary
by MITRE • 01/07/2026
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/15/2026
CVE-2025-69220 represents a critical access control vulnerability within LibreChat version 0.8.1-rc2 that undermines the application's security model for file management operations. This vulnerability specifically affects the agents file context and file search functionalities, where proper authorization checks are absent or improperly implemented. The flaw allows authenticated attackers who possess knowledge of specific agent identifiers to manipulate the behavior of arbitrary agents through unauthorized file uploads, effectively bypassing the intended permission controls that should restrict such operations to authorized users only.
The technical implementation of this vulnerability stems from inadequate input validation and authorization enforcement mechanisms within the file upload pathways. When an attacker obtains access to an agent ID, they can leverage this information to target the file context or file search endpoints without proper authentication verification. This misconfiguration creates a privilege escalation scenario where unauthorized modifications can be made to agent configurations through file uploads, potentially leading to arbitrary code execution or data manipulation within the system's agent framework. The vulnerability directly maps to CWE-285, which addresses improper authorization issues, and aligns with ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing attachments, as the attack requires legitimate user credentials to initiate but exploits a weakness in access controls.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it enables attackers to fundamentally alter agent behavior and potentially compromise the integrity of the entire chat system. An attacker could upload malicious files that modify agent responses, redirect queries, or introduce backdoors within the agent's operational context. The implications are particularly severe given that LibreChat serves as a ChatGPT clone with additional features, meaning that compromised agents could affect multiple downstream services or user interactions. The vulnerability affects the application's core functionality by undermining the trust model that should exist between authenticated users and the system's agent management capabilities. The issue was successfully addressed in version 0.8.2-rc2 through proper implementation of access control checks that verify user permissions before allowing file upload operations to specific agent contexts.
Organizations utilizing LibreChat should immediately implement mitigation strategies including upgrading to version 0.8.2-rc2 or later, implementing additional network segmentation controls around agent management endpoints, and conducting comprehensive access control reviews. The vulnerability demonstrates the critical importance of proper authorization enforcement in multi-user applications where different users may have varying levels of access to shared resources. Security teams should also consider implementing monitoring controls around file upload operations and agent configuration changes to detect potential exploitation attempts. The fix implemented in the subsequent release addresses the root cause by ensuring that all file operations within agent contexts require proper authorization verification, thereby preventing unauthorized modifications to agent behavior through file upload mechanisms. This vulnerability serves as a reminder of the importance of defense in depth principles where multiple layers of security controls should protect against scenarios where one control fails.