Arbitrary File Write Vulnerability in LibreChat by Danny Avila
CVE-2026-34371

6.3MEDIUM

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 7 April 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2026-34371?

LibreChat, a ChatGPT clone, suffers from an arbitrary file write vulnerability due to improper handling of the name field returned by the execute_code sandbox prior to version 0.8.4. This flaw allows attackers to exploit traversal sequences in filenames, thereby enabling unauthorized file creation or modification on the server. The vulnerability removes the necessary safeguards, allowing users leveraging execute_code to write files as the server user, posing a significant risk to the integrity and security of the system. The issue has been remediated in version 0.8.4.

Affected Version(s)

LibreChat < 0.8.4

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34371 Data

JSON