Cyber Resilience

CVE-2025-69220

HighPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L
EPSS Score 0.0005 16.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69220 is a high-severity Improper Access Control (CWE-284) vulnerability in Librechat Librechat. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-69220 is an improper access control vulnerability affecting LibreChat, an open-source ChatGPT clone with additional features, specifically in version 0.8.1-rc2. The flaw lies in the failure to enforce proper access controls for file uploads to an agent's file context and file search functionality, linked to CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization). This allows unauthorized modifications to agent configurations through file uploads. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L), indicating high integrity impact with scope change.

An authenticated attacker with low privileges (PR:L) who has access to an agent ID can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). By uploading malicious files to the file context or file search of arbitrary agents, the attacker can alter their behavior, even without explicit permissions for those agents. This leads to high integrity impact (I:H) and low availability impact (A:L), potentially enabling unauthorized control over AI agent operations in a scoped but changed environment (S:C).

The GitHub security advisory (GHSA-xcmf-rpmh-hg59) and release notes confirm the issue is fixed in LibreChat version 0.8.2-rc2, with the patching commit available at https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237. Security practitioners should upgrade to the fixed release and review access to agent IDs in multi-user deployments.

EU & UK References

Vulnerability details

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior…

more

of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: chatgpt, librechat

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper access control (CWE-284/862) in a web-based chat/agent application directly enables remote exploitation of a public-facing service to perform unauthorized configuration changes via file uploads.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-41258Same product: Librechat Librechat
CVE-2025-69222Same product: Librechat Librechat
CVE-2026-4276Same product: Librechat Librechat
CVE-2026-31943Same product: Librechat Librechat
CVE-2024-10361Same product: Librechat Librechat
CVE-2026-31942Same product: Librechat Librechat
CVE-2026-33265Same product: Librechat Librechat
CVE-2026-22252Same product: Librechat Librechat
CVE-2026-31944Same product: Librechat Librechat
CVE-2026-31945Same product: Librechat Librechat

Affected Assets

librechat
librechat
0.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks before allowing file uploads to an agent's context or search, blocking the unauthorized modification described in the CVE.

prevent

Requires that only the minimum privileges needed to manage a specific agent are granted, preventing an authenticated user from affecting arbitrary agents via file uploads.

prevent

Restricts the ability to perform configuration-changing actions (file uploads that alter agent behavior) to only authorized principals.

References