Improper Authorization in Conversation Sharing of LibreChat by Danny Avila
CVE-2025-6088

4.2MEDIUM

Key Information:

Vendor: Danny-avila
Status: Danny-avila/librechat
Vendor: CVE Published:; 11 September 2025

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2025-6088?

In version 0.7.8 of LibreChat, improper authorization controls in the conversation sharing feature create a significant security risk. A logged-in user may gain read-only access to other users' private conversations if they know the conversation ID. These IDs, although UUIDv4 format, can be extracted from weakly protected sources like server-side access logs, browser history, or screenshots. The vulnerable API endpoint /api/share/conversationID does not enforce necessary authorization checks, allowing unauthorized access. This issue has been addressed in version 0.7.9-rc1.

Affected Version(s)

danny-avila/librechat < unspecified

References

https://huntr.com/bounties/361405bb-a739-41eb-a680-4cb619...

https://github.com/danny-avila/librechat/commit/3af266689...

CVSS V3.0

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 11, 2025
Vulnerability Reserved
Jun 14, 2025