CVE-2025-41258HIGH 8.0EPSS p26.1%

CVE-2025-41258CVE-2025-41258

Description

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 26.1% · 2026-06-19T12:03:05Z
Published2026-03-18
Last modified2026-03-24

Underlying weaknesses· 1

CWE-284

References

  1. https://github.com/danny-avila/LibreChat
  2. https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreChat_RAG_API_Authentication_Bypass

1

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33265
CVE
CVE-2026-4276
CVE
CVE-2025-69222
CVE
CVE-2025-66201
CVE
CVE-2025-45150
CVE
CVE-2026-22252
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.