CVE-2024-11167

Published: Mar 20, 2025Modified: Jul 15, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An improper access control vulnerability in danny-avila/librechat versions prior to 0.7.6 allows authenticated users to delete other users' prompts via the groupid parameter. This issue occurs because the endpoint does not verify whether the provided prompt ID belongs to the current user.

Affected (1)

Products: Librechat: Librechat

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Librechat Librechat	Before 0.7.6

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://github.com/danny-avila/librechat/commit/5071bdbf9ac621165f0e8d009818851f3951eee7

Source: security@huntr.dev

Patch

https://huntr.com/bounties/298f5760-5797-4432-8b9e-544609d612c0

Source: security@huntr.dev

ExploitThird Party Advisory

Timeline

No history available yet.