CVE-2026-34371

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-34371

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34371.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-34371

Aliases

GHSA-qrm5-r67f-6692

Published

2026-04-07T21:08:13.175Z

Modified

2026-04-09T11:45:28.483513Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N CVSS Calculator

Summary

LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal

Details

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the executecode sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger executecode an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34371.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/danny-avila/librechat

Affected ranges

Type

GIT

Repo

https://github.com/danny-avila/librechat

Events

Introduced

Fixed

0736ff26686e911c9785a237c63a799db1813f0b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.4"
        }
    ]
}

Affected versions

chart-1.*

chart-1.9.0

chart-1.9.1

chart-1.9.2

chart-1.9.3

chart-1.9.4

chart-1.9.5

chart-1.9.6

chart-1.9.7

chart-1.9.8

chart-1.9.9

chart-2.*

chart-2.0.0

chart-2.0.1

librechat-1.*

librechat-1.8.9

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.6

v0.1.0

v0.1.1

v0.2.0

v0.3.0

v0.3.3

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.10

v0.6.5

v0.6.6

v0.6.9

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.3-rc

v0.7.3-rc2

v0.7.4

v0.7.4-rc1

v0.7.5

v0.7.5-rc1

v0.7.5-rc2

v0.7.6

v0.7.6-rc1

v0.7.7

v0.7.7-rc1

v0.7.8

v0.7.8-rc1

v0.7.9

v0.7.9-rc1

v0.8.0

v0.8.0-rc1

v0.8.0-rc2

v0.8.0-rc3

v0.8.0-rc4

v0.8.1

v0.8.1-rc1

v0.8.1-rc2

v0.8.2

v0.8.2-rc1

v0.8.2-rc2

v0.8.2-rc3

v0.8.3

v0.8.3-rc1

v0.8.3-rc2

v0.8.4-rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34371.json"