Cyber Resilience

CVE-2026-33265

MediumPublic PoC

Published: 18 March 2026

Published
18 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.0023 13.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-33265 is a medium-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Librechat Librechat. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-33265 is a vulnerability in LibreChat version 0.8.1-rc2, where a logged-in user obtains a JWT token valid for both the LibreChat API and the RAG API. This issue, published on 2026-03-18, carries a CVSS v3.1 base score of 6.3 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L) and maps to CWE-669 (Incorrect Resource Transfer Between Spheres), indicating improper handling of authentication credentials across API boundaries.

The attack requires a local, low-privileged adversary, such as an authenticated user, who can exploit it with low complexity and no user interaction. Exploitation changes the scope and enables limited impacts on confidentiality, integrity, and availability, likely through unauthorized access enabled by the shared JWT validity.

Advisories provide further details on mitigation; refer to the SBA Research advisory at https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreChat_RAG_API_Authentication_Bypass, which addresses the RAG API authentication bypass, and the OSS-Security mailing list announcement at https://www.openwall.com/lists/oss-security/2026/03/18/3.

EU & UK References

Vulnerability details

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: librechat

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

The auth bypass allows a low-privileged logged-in user to misuse a legitimately obtained JWT for unauthorized RAG API access (scope change), directly enabling exploitation for privilege escalation and use of application access tokens as alternate authentication material.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31944Same product: Librechat Librechat
CVE-2025-69220Same product: Librechat Librechat
CVE-2024-10361Same product: Librechat Librechat
CVE-2025-41258Same product: Librechat Librechat
CVE-2026-31942Same product: Librechat Librechat
CVE-2026-32625Same product: Librechat Librechat
CVE-2026-31943Same product: Librechat Librechat
CVE-2025-69222Same product: Librechat Librechat
CVE-2026-4276Same product: Librechat Librechat
CVE-2026-22252Same product: Librechat Librechat

Affected Assets

librechat
librechat
0.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for information flow between the LibreChat API and RAG API spheres, directly preventing incorrect resource transfer via shared JWT tokens.

prevent

Mandates enforcement of access control policies at each API, blocking unauthorized access enabled by JWT validity across boundaries.

prevent

Applies least privilege to restrict JWT scopes to only the intended API, mitigating over-privileging that allows exploitation across APIs.

References