anonhaven
Ad

CVE-2026-33265

CRITICAL CVSS 3.1: 9.0 EPSS 0.06%
Updated Mar 24, 2026
Librechat
Parameter Value
CVSS 9.0 (CRITICAL)
Type CWE-669 (Incorrect Resource Transfer Between Spheres)
Vendor Librechat
Public PoC No

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.

Attack Parameters

Attack Vector
Adjacent
Requires local network access
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-669 Incorrect Resource Transfer Between Spheres

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Librechat Librechat
cpe:2.3:a:librechat:librechat:0.8.1:rc2:*:*:*:*:*:*

References 2

https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_…
cve@mitre.org
https://www.openwall.com/lists/oss-security/2026/03/18/3
cve@mitre.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-31951

Librechat

5.7

CVE-2026-31950

Librechat

5.3

CVE-2026-31945

GitHub

7.7

CVE-2026-31943

Librechat

8.5

CVE-2025-41258

Librechat

8.0