Unauthorized File Upload in LibreChat by Danny Avila
CVE-2026-54027

6.5MEDIUM

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 25 June 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2026-54027?

The vulnerability in LibreChat allows any authenticated user to upload files to any agent's tool_resources via the POST /api/files/images endpoint without proper ownership verification or EDIT permissions. Although a previous patch included a permission check for the POST /api/files route, this check was not extended to the image upload route, enabling attackers to bypass authorization controls easily. This issue has been addressed in version 0.8.4-rc1.

Affected Version(s)

LibreChat < 0.8.4-rc1

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-54027 Data

JSON