CVE-2025-69220
Published: 07 January 2026
Summary
CVE-2025-69220 is a high-severity Improper Access Control (CWE-284) vulnerability in Librechat Librechat. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Requiring prior authorization for each remote access type prevents improper access control over remote connections.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.
Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems.
Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control (CWE-284/862) in a web-based chat/agent application directly enables remote exploitation of a public-facing service to perform unauthorized configuration changes via file uploads.
NVD Description
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior…
more
of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2.
Deeper analysisAI
CVE-2025-69220 is an improper access control vulnerability affecting LibreChat, an open-source ChatGPT clone with additional features, specifically in version 0.8.1-rc2. The flaw lies in the failure to enforce proper access controls for file uploads to an agent's file context and file search functionality, linked to CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization). This allows unauthorized modifications to agent configurations through file uploads. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L), indicating high integrity impact with scope change.
An authenticated attacker with low privileges (PR:L) who has access to an agent ID can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). By uploading malicious files to the file context or file search of arbitrary agents, the attacker can alter their behavior, even without explicit permissions for those agents. This leads to high integrity impact (I:H) and low availability impact (A:L), potentially enabling unauthorized control over AI agent operations in a scoped but changed environment (S:C).
The GitHub security advisory (GHSA-xcmf-rpmh-hg59) and release notes confirm the issue is fixed in LibreChat version 0.8.2-rc2, with the patching commit available at https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237. Security practitioners should upgrade to the fixed release and review access to agent IDs in multi-user deployments.
Details
- CWE(s)