Executive Summary

CVE-2026-54029 is an Insecure Direct Object Reference (IDOR) vulnerability in the LibreChat application affecting the message deletion functionality.

The vulnerability occurs because the deleteMessages() function only uses the message ID as a filter without verifying if the message belongs to the requesting user.

An attacker who is an authenticated user can provide their own valid conversation ID to pass validation and the victim's message ID to delete messages that do not belong to them.

This results in permanent and irrecoverable deletion of any message in the system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to evidence tampering, service disruption, and data loss.

Since messages are permanently removed from the MongoDB database without soft-deletion, deleted messages cannot be recovered.

An attacker exploiting this flaw can delete important messages belonging to other users, potentially causing loss of critical information and impacting the integrity of communications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring API requests to the DELETE /api/messages/:conversationId/:messageId endpoint for suspicious activity where an authenticated user attempts to delete messages that do not belong to their own conversation.

Specifically, detection involves checking if the messageId being deleted does not correspond to the requesting user's messages, indicating potential exploitation of the IDOR vulnerability.

Commands or methods to detect this might include analyzing server logs or MongoDB query logs for DELETE requests with mismatched user and message ownership.

• Use MongoDB queries to audit deletions, for example: db.messages.find({ _id: ObjectId(messageId), userId: { $ne: requestingUserId } }) to identify deletions of messages not owned by the user.
• Monitor HTTP access logs for DELETE requests to /api/messages/ and correlate conversationId and messageId with authenticated user sessions.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade LibreChat to version 0.8.4-rc1 or later, where this vulnerability has been fixed by properly adding user constraints to the deleteMessages() function.

Until the upgrade is applied, restrict access to the DELETE /api/messages/:conversationId/:messageId endpoint to trusted users only, or disable message deletion functionality temporarily.

Additionally, review and enhance authorization checks in the message deletion logic to ensure that users can only delete their own messages.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows any authenticated user to permanently delete messages belonging to other users without proper authorization, leading to potential evidence tampering, data loss, and service disruption.

Such unauthorized deletion of user data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require maintaining data integrity, ensuring proper access controls, and protecting user data from unauthorized modification or deletion.

Specifically, the inability to prevent unauthorized message deletion may violate principles of data integrity and accountability mandated by these standards.

Useful 0 Not Useful 0