PatchSiren cyber security CVE debrief
CVE-2026-54024 danny-avila CVE debrief
CVE-2026-54024 is a vulnerability in LibreChat, an enhanced ChatGPT clone, that allows authenticated users to upload arbitrarily large files. This is possible because the POST /api/convos/import endpoint uses a separate multer instance that was not updated with the same limits configuration as the fix for CVE-2024-11171. The application-level size check is also disabled by default. An attacker could exploit this vulnerability to exhaust server disk space and memory. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. It was published on June 25, 2026, and modified on June 29, 2026.
- Vendor
- danny-avila
- Product
- LibreChat
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-06-29
Who should care
Users of LibreChat, especially those who have not updated to version 0.8.4-rc1, should be aware of this vulnerability. Authenticated users with access to the POST /api/convos/import endpoint are potentially affected. Administrators should consider updating to the latest version and reviewing their server's disk space and memory usage.
Technical summary
The vulnerability exists in the LibreChat application, specifically in the file upload routes. The fix for CVE-2024-11171 added limits to the createMulterInstance() function, but the POST /api/convos/import endpoint uses a separate multer instance that was not updated with the same limits configuration. This allows authenticated users to upload files of arbitrary size, potentially leading to server disk space and memory exhaustion. The application-level size check is disabled by default, as the CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES environment variable is commented out in .env.example. The vulnerability can be exploited by sending a crafted request to the POST /api/convos/import endpoint.
Defensive priority
High priority should be given to updating LibreChat to version 0.8.4-rc1 or later. Additionally, administrators should review their server's disk space and memory usage and consider implementing compensating controls, such as monitoring and exception tracking.
Recommended defensive actions
- Update LibreChat to version 0.8.4-rc1 or later.
- Review server disk space and memory usage.
- Implement monitoring and exception tracking.
- Consider disabling the POST /api/convos/import endpoint if not in use.
- Enable the application-level size check by setting the CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES environment variable.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and severity. The source item URL provides additional information on the vulnerability, including its status and references. The mitigation or vendor reference provides information on the fix for the vulnerability.
Official resources
-
CVE-2026-54024 CVE record
CVE.org
-
CVE-2026-54024 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
This article is AI-assisted and based on the supplied source corpus.