Denial of Service Vulnerability in LibreChat by Danny Avila
CVE-2026-31949

6.5MEDIUM

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 13 March 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2026-31949?

LibreChat, a ChatGPT clone developed by Danny Avila, exposes a Denial of Service vulnerability in its DELETE /api/convos endpoint for versions prior to 0.8.3-rc1. An authenticated attacker can exploit this vulnerability by sending malformed requests that do not properly validate inputs. This leads to a crash of the Node.js server process due to an unhandled TypeError, which bypasses existing Express error handling middleware, ultimately terminating the server unexpectedly. This issue has been addressed in the 0.8.3-rc1 release, highlighting the importance of input validation and error management.

Affected Version(s)

LibreChat < 0.8.3-rc1

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 10, 2026

CVE-2026-31949 Data

JSON