Cross-Agent Integrity Violation in LibreChat by Danny Avila
CVE-2026-44654

5.7MEDIUM

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 2 June 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2026-44654?

In LibreChat up to version 0.8.3, a vulnerability allows shared-agent editors to delete file records globally via the DELETE /api/files endpoint. This action disrupts private agents managed by the file owner, leading to stale file_id references that can cause functionality failures without alerting the owner. This violation of integrity between agents highlights the risk of editing access affecting multiple agents inappropriately. Users are advised to upgrade to version 0.8.4, which includes a necessary patch for this issue.

Affected Version(s)

LibreChat < 0.8.5

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44654 Data

JSON