CVE-2025-69220
Published: 07 January 2026
Summary
CVE-2025-69220 is a high-severity Improper Access Control (CWE-284) vulnerability in Librechat Librechat. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-69220 is an improper access control vulnerability affecting LibreChat, an open-source ChatGPT clone with additional features, specifically in version 0.8.1-rc2. The flaw lies in the failure to enforce proper access controls for file uploads to an agent's file context and file search functionality, linked to CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization). This allows unauthorized modifications to agent configurations through file uploads. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L), indicating high integrity impact with scope change.
An authenticated attacker with low privileges (PR:L) who has access to an agent ID can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). By uploading malicious files to the file context or file search of arbitrary agents, the attacker can alter their behavior, even without explicit permissions for those agents. This leads to high integrity impact (I:H) and low availability impact (A:L), potentially enabling unauthorized control over AI agent operations in a scoped but changed environment (S:C).
The GitHub security advisory (GHSA-xcmf-rpmh-hg59) and release notes confirm the issue is fixed in LibreChat version 0.8.2-rc2, with the patching commit available at https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237. Security practitioners should upgrade to the fixed release and review access to agent IDs in multi-user deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206261
Vulnerability details
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior…
more
of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: chatgpt, librechat
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control (CWE-284/862) in a web-based chat/agent application directly enables remote exploitation of a public-facing service to perform unauthorized configuration changes via file uploads.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks before allowing file uploads to an agent's context or search, blocking the unauthorized modification described in the CVE.
Requires that only the minimum privileges needed to manage a specific agent are granted, preventing an authenticated user from affecting arbitrary agents via file uploads.
Restricts the ability to perform configuration-changing actions (file uploads that alter agent behavior) to only authorized principals.