CVE Catalog

CVE-2026-54029

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

A vulnerability in LibreChat before version 0.8.4-rc1 allows any authenticated user to delete any other user's messages. The delete endpoint lacks a user constraint, enabling an attacker to use their own conversation ID and the victim's message ID to permanently remove messages.

Risk Assessment

The risk involves permanent and irrecoverable deletion of other users' messages, potentially compromising data integrity and user trust in the system.

Recommendation

Upgrade LibreChat to version 0.8.4-rc1 or later immediately, which includes the fix for this vulnerability.

Original NVD description (English source)

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any other user's messages. The validateMessageReq middleware only validates that the conversationId belongs to the requesting user, but the handler calls deleteMessages({ messageId }) using only the messageId as the MongoDB filter — without adding a user constraint. An attacker provides their own valid conversationId (to pass validation) and the victim's messageId (to target deletion), resulting in permanent, irrecoverable message deletion. This vulnerability is fixed in 0.8.4-rc1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS