HIGH 8.1

CVE-2026-44654: LibreChat File Deletion Cross-Agent Integrity Bypass

LibreChat is an open-source ChatGPT alternative that integrates multiple AI providers. A critical flaw in versions up to 0.8.3 allows a user with editing privileges on a shared agent to permanently delete files — not just from that shared agent, but globally across the entire system. This means if a file owner has reused the same file across multiple private agents, an attacker with edit access to just one shared agent can destroy those files, leaving the owner's other agents broken with orphaned file references. The owner doesn't control the attacker's edit access to their own private agents; they simply stop working.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weaknesses (CWE)
CWE-863
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally — not just from the shared agent — breaking the owner's other private agents that reference the same `file_id`. The private agent retains a stale `file_id` reference that no longer resolves. A shared-agent editor can destroy files that the owner uses across multiple agents. The owner's private agents — which the attacker has no access to — break silently with stale `file_id` references. This is a cross-agent integrity violation: editing access to one agent should not affect another. Version 0.8.4 contains a patch.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-44654 is an authorization and data integrity bypass in LibreChat ≤0.8.3. The `DELETE /api/files` endpoint lacks proper scope validation, permitting a shared-agent editor to issue deletion requests that remove file records globally rather than scoped to that agent context. The vulnerability exploits the absence of ownership or context checks before file deletion. When a file is deleted, any agent (including private agents owned by the file creator) that holds a reference to that `file_id` becomes non-functional, as the file record no longer exists in the database. The attacker gains no direct access to private agents but achieves denial-of-service and data destruction through indirect object reference manipulation. This violates the cross-agent integrity assumption: permission to edit one agent should never grant the ability to corrupt another agent's state.

Business impact

Organizations using LibreChat for multi-agent AI workflows face operational disruption and data loss risk. An insider or compromised account with shared-agent editing privileges can sabotage file availability across an entire workspace, not just within the scope of one agent. For teams relying on LibreChat to orchestrate AI interactions across research, customer support, or content generation workflows, an attacker can force downtime by rendering files inaccessible. Recovery requires manual intervention to re-upload or rebuild file linkages. In regulated environments, silent data unavailability (stale file references that don't resolve) may trigger audit and compliance concerns if change logs don't clearly document the attack.

Affected systems

LibreChat version 0.8.3 and all prior releases are affected. The vulnerability requires the attacker to hold a user account with editing privileges on at least one shared agent. Self-hosted and SaaS deployments of LibreChat are both at risk if running vulnerable versions. Users who operate only private agents are unaffected if those agents are never shared with other users. However, any multi-user deployment where files are reused across agents is vulnerable. Version 0.8.4 and later contain the fix.

Exploitability

Exploitation requires authentication and existing edit access to a shared agent — a low bar in collaborative environments. No special tooling is needed; the attacker sends a standard DELETE request to `/api/files` with a known `file_id`. Timing is trivial. The only friction is obtaining or creating a shared agent with edit privileges, which is a normal part of LibreChat's intended workflow. Once an attacker identifies a file shared across agents, they can immediately delete it. Silent breakage means the owner may not discover the attack until a dependent workflow fails. The CVSS 8.1 HIGH rating reflects high integrity impact (file deletion) and high availability impact (broken agents) coupled with low attack complexity and low privileges required.

Remediation

Upgrade LibreChat to version 0.8.4 or later. The patch enforces proper scope validation and ownership checks before deletion, ensuring that a shared-agent editor can only delete files within that agent's context, not globally. Organizations should prioritize this update in environments where files are shared or reused across multiple agents. Verify the upgrade by confirming version 0.8.4 is running and testing that a shared-agent user cannot delete files visible only to other agents.

Patch guidance

Update LibreChat from 0.8.3 or earlier to 0.8.4 or later. If running a self-hosted instance, pull the latest release from the LibreChat repository and restart the service. If using a managed SaaS deployment, check with your provider for the rollout timeline. No rollback or additional configuration steps are documented as necessary. After patching, verify that the deletion endpoint now respects agent boundaries and ownership rules.

Detection guidance

Monitor `/api/files` DELETE requests in application logs, particularly those from shared-agent contexts. Flag any DELETE operations on files that are also referenced by other agents or users. Check for patterns of rapid file deletion from shared agents. Audit file reference tables for orphaned `file_id` values that no longer resolve in the file store — these indicate successful attacks. Review agent edit-access logs to identify which users hold editing privileges on shared agents and could pose insider risk. Consider implementing file deletion audits that cross-reference the agent context and file ownership before confirming success.

Why prioritize this

This vulnerability combines high business impact with low barriers to exploitation. Any authenticated user with shared-agent editing rights — a common role in team environments — can cause data loss affecting other users' private workflows. The silent nature of the breakage (stale file references don't immediately surface errors) may delay detection and compound damage. While it requires authentication, the scope violation is severe: it violates fundamental assumptions about cross-user isolation. Organizations running LibreChat in production should treat this as high priority for patching.

Risk score, explained

CVSS 3.1 score of 8.1 (HIGH) reflects: high integrity impact (authorized deletion of files), high availability impact (agents become non-functional), low attack complexity (standard DELETE request), low privileges required (any shared-agent editor), no user interaction needed, and unchanged scope (the attack affects only LibreChat, not external systems). The score would be 9.0+ if the attack were unauthenticated or required no privileges; it is tempered by the need for legitimate editing access, but the scope violation and data destruction justify the HIGH rating.

Frequently asked questions

Can a shared-agent editor see or access the owner's private agents?

No. A shared-agent editor has access only to the shared agent itself. However, they can delete files globally, which breaks private agents that reference those same files indirectly through orphaned file IDs.

Does the patch require data recovery or file restoration?

The patch prevents future attacks but does not automatically restore deleted files. If files were deleted before the patch, they are not recoverable through the patch alone. Organizations should restore from backups if available.

What if our LibreChat deployment is air-gapped or internal-only?

Risk is reduced but not eliminated. An insider or compromised internal account with shared-agent editing rights can still exploit the vulnerability. Patching is still strongly recommended.

How do we know if we've been attacked?

Review file deletion audit logs and check for orphaned `file_id` references in agents that should have functional files. Test affected workflows to confirm files are still accessible. If you see file delete operations from shared-agent contexts followed by agent errors, investigate further.

This explainer is provided for informational purposes. No exploit code or weaponized proof-of-concept is included. Verify all patch versions and remediation steps against official LibreChat vendor advisories. This assessment is based on public CVE data and does not constitute legal or compliance advice. Organizations should conduct their own risk assessment and testing before deploying patches to production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).