CVE-2026-54037
Undergoing Analysis Undergoing Analysis - In Progress
Authenticated API Abuse in LibreChat

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint β€” which is in the same file and performs the exact same expensive database operations β€” was not given any rate limiter. An authenticated user can bypass the CVE-2025-7105 fix by using /duplicate instead of /fork to exhaust server resources. This vulnerability is fixed in 0.8.4-rc1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54037
EUVD
EUVD-2026-39458
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
librechat librechat to 0.8.4-rc1 (inc)
danny_avila librechat 0.8.4-rc1
danny_avila librechat to 0.8.4-rc1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in LibreChat versions prior to 0.8.4-rc1. Although a previous fix (CVE-2025-7105) added rate limiters to the POST /api/convos/fork endpoint to prevent rapid conversation duplication, the POST /api/convos/duplicate endpoint was not protected by any rate limiter. Both endpoints perform the same expensive database operations. An authenticated user can exploit this by using the /duplicate endpoint to bypass the rate limiting and exhaust server resources.

Impact Analysis

The vulnerability can be exploited by an authenticated user to exhaust server resources by rapidly duplicating conversations through the unprotected /duplicate endpoint. This can lead to denial of service conditions, impacting the availability and performance of the LibreChat service.

Mitigation Strategies

To mitigate this vulnerability, upgrade LibreChat to version 0.8.4-rc1 or later, where the issue with missing rate limiting on the POST /api/convos/duplicate endpoint has been fixed.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for excessive or rapid POST requests to the /api/convos/duplicate endpoint on LibreChat versions prior to 0.8.4-rc1. Since the endpoint lacks rate limiting, unusually high traffic or repeated requests from the same authenticated user may indicate exploitation attempts.

To detect potential exploitation, you can analyze web server logs or use network monitoring tools to filter POST requests targeting /api/convos/duplicate.

  • Using grep on server logs to find POST requests to the vulnerable endpoint: grep 'POST /api/convos/duplicate' /path/to/access.log
  • Using curl to test the endpoint (requires authentication): curl -X POST -H 'Authorization: Bearer <token>' https://your-libechat-instance/api/convos/duplicate -d '{"conversationId":"<id>"}'
  • Using monitoring tools like Wireshark or tcpdump to capture and filter HTTP POST traffic to /api/convos/duplicate.

Additionally, monitoring MongoDB write throughput and server resource usage (CPU, memory, disk space) can help identify if the server is being exhausted due to exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart