CVE-2026-54027 in LibreChat
Summary
by MITRE • 06/25/2026
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files into any agent's tool_resources (e.g., context, execute_code) without verifying ownership or EDIT permission on the target agent. A permission check was added to the POST /api/files route in a previous patch, but the image upload route was never updated with the same check. An attacker can simply use the image endpoint instead of the file endpoint to bypass the authorization entirely. This vulnerability is fixed in 0.8.4-rc1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability exists within LibreChat version 0.8.4-rc1 and earlier, where the POST /api/files/images endpoint fails to properly validate user permissions when uploading files to agent tool resources. The flaw represents a critical authorization bypass that allows any authenticated user to upload images into any agent's tool_resources directory, including contexts and code execution environments, without proper ownership verification or EDIT permission checks. This security gap stems from incomplete patching where the POST /api/files route received permission validation but the image-specific upload endpoint was overlooked during the remediation process, creating a persistent backdoor for unauthorized file manipulation.
The technical implementation of this vulnerability exploits the inconsistency between two file upload endpoints within the application's API framework. When authenticated users access the POST /api/files/images endpoint, they can bypass the authorization mechanisms that should restrict file uploads to only those agents they own or have edit privileges for. This creates a scenario where malicious actors can inject images into agent tool resources that may be used for context manipulation, code execution, or other privilege escalation attacks. The vulnerability specifically targets the tool_resources directory structure where agents store supporting files for their operations, including context documents and code execution environments.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads to encompass potential privilege escalation and persistent access exploitation. Attackers can leverage this flaw to place malicious images in agent contexts that might be processed by other system components, potentially leading to code execution or data exfiltration through compromised tool resources. The vulnerability enables attackers to manipulate the operational environment of any agent within the system without proper authorization, making it particularly dangerous in multi-user scenarios where agents represent different system functions or security domains. This represents a direct violation of the principle of least privilege and could allow attackers to gain persistent access to sensitive agent environments.
The remediation implemented in version 0.8.4-rc1 addresses this specific authorization bypass by adding proper permission validation to the POST /api/files/images endpoint, ensuring that users must possess appropriate ownership rights or EDIT permissions before uploading files to any agent's tool_resources directory. This fix aligns with established security practices for API endpoint protection and follows the principle of least privilege enforcement. The vulnerability is categorized under CWE-285: Improper Authorization within the Common Weakness Enumeration framework, which specifically addresses situations where access controls are not properly enforced on protected resources. From an ATT&CK perspective, this vulnerability maps to T1078: Valid Accounts and T1566: Phishing, as attackers can leverage authenticated sessions to gain unauthorized access to agent resources through the bypassed endpoint.
Organizations using LibreChat should immediately implement the 0.8.4-rc1 update or apply equivalent patching measures to ensure proper authorization enforcement across all file upload endpoints. The fix demonstrates the importance of comprehensive security auditing where all similar endpoints receive consistent protection, as partial remediation can leave systems vulnerable to exploitation through alternative attack vectors. System administrators should also implement monitoring for unauthorized file uploads and verify that permission checks are consistently applied across all API endpoints handling user-provided content to prevent future similar vulnerabilities in the application's architecture.