{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34371", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.369Z", "datePublished": "2026-04-07T21:08:13.175Z", "dateUpdated": "2026-04-08T16:14:43.926Z"}, "containers": {"cna": {"title": "LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692"}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"version": "< 0.8.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:08:13.175Z"}, "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4."}], "source": {"advisory": "GHSA-qrm5-r67f-6692", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:10:31.032341Z", "id": "CVE-2026-34371", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:14:43.926Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34371", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:10:31.032341Z"}}}], "references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:10:38.832Z"}}], "cna": {"title": "LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal", "source": {"advisory": "GHSA-qrm5-r67f-6692", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"status": "affected", "version": "< 0.8.4"}]}], "references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692", "name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:08:13.175Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34371", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:14:43.926Z", "dateReserved": "2026-03-27T13:43:14.369Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T21:08:13.175Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*", "matchCriteriaId": "63FE1740-F55B-4D56-92E5-407F97DA3475", "versionEndExcluding": "0.8.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4."}], "id": "CVE-2026-34371", "lastModified": "2026-04-14T19:24:03.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T22:16:22.227", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.4)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "LibreChat", "source": "cna", "vendor": "danny-avila"}, "product": "libre_chat", "vendor": "danny-avila"}], "analysis": {"en": {"generated_at": "2026-04-14T21:30:46.555617+00:00", "value": {"mitigation_remediation": ["Upgrade LibreChat to version 0.8.4 or later.", "If an upgrade is not possible, disable the execute_code endpoint or remove the ability for users to specify custom artifact filenames.", "Restrict the file system permissions of the LibreChat process to limit writable locations.", "Implement monitoring for unexpected file creation or overwrites in the application directories."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "Any deployment of LibreChat prior to version 0.8.4 that uses the default local file strategy is impacted. The vulnerability affects the product named LibreChat from the vendor danny\u2011avila. No additional product versions are specified beyond the 0.8.4 threshold.", "description_and_impact": "LibreChat, a ChatGPT clone developed by danny\u2011avila, allows an attacker to write arbitrary files through the execute_code sandbox. The vulnerability originates from the unsanitized artifact filename supplied by the sandbox when generating code artifacts. When a malicious filename includes directory traversal sequences, the server concatenates it to the local file path and writes the file using fs.writeFileSync. This flaw falls under CWE\u201122 and grants an attacker the ability to create or overwrite files as the LibreChat server user, potentially compromising configuration or injecting malicious code.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity, while an EPSS score below 1% suggests a low likelihood of active exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be remote, relying on the ability to trigger the execute_code feature \u2013 presumably by providing executable code that returns a crafted filename. Once triggered, the attacker can write any file within the server\u2019s writable directories, which is a critical privilege escalation risk."}}}}, "created": "2026-04-08T19:34:12.229965+00:00", "updated": "2026-04-15T16:15:11.966496+00:00", "vendors": ["danny-avila", "danny-avila$PRODUCT$libre_chat"]}