Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34371

CVE-2026-34371: LibreChat Path Traversal Vulnerability

CVE-2026-34371 is a path traversal flaw in LibreChat that allows attackers to write arbitrary files via malicious artifact filenames. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-34371 Overview

A path traversal vulnerability has been identified in LibreChat, a popular open-source ChatGPT clone with additional features. Prior to version 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user.

Critical Impact

Authenticated attackers can write arbitrary files to the server filesystem, potentially enabling remote code execution, configuration tampering, or service disruption.

Affected Products

  • LibreChat versions prior to 0.8.4
  • Deployments using the default local file storage strategy
  • Instances with execute_code functionality enabled

Discovery Timeline

  • 2026-04-07 - CVE CVE-2026-34371 published to NVD
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-34371

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The core issue stems from LibreChat's implicit trust of user-controlled input when handling artifact filenames returned from the code execution sandbox.

When users execute code through LibreChat's sandbox environment, the application persists resulting artifacts to the local filesystem. The vulnerability occurs because the application directly concatenates the artifact's name field into the destination path without proper validation or sanitization. This design flaw allows malicious path traversal sequences such as ../ to escape the intended storage directory and write files to arbitrary locations on the server filesystem.

The attack requires network access and user authentication (low privileges), but exploitation has high complexity due to the specific conditions required. The impact is limited to integrity concerns, as the vulnerability enables arbitrary file writes but does not directly expose confidential data or cause system availability issues.

Root Cause

The root cause is insufficient input validation in the artifact persistence logic. When the execute_code sandbox returns an artifact with a user-controlled filename, LibreChat's server-side code directly uses this value in the file path construction without sanitizing directory traversal sequences. The fs.writeFileSync() function then writes the artifact content to whatever path results from this concatenation, enabling attackers to escape the intended artifact storage directory.

Attack Vector

The attack is network-based and requires an authenticated user with access to the code execution functionality. An attacker crafts a malicious artifact filename containing path traversal sequences that, when processed by the server, resolve to a location outside the intended storage directory.

The vulnerability mechanism works as follows: when code execution produces an artifact, the sandbox returns metadata including a name field. LibreChat's artifact handling code takes this name and appends it to the base storage path. Without sanitization, a name like ../../../../../app/client/dist/malicious.js would cause the server to write the artifact content to the application's client distribution directory, potentially overwriting legitimate application files or injecting malicious content.

For detailed technical information, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-34371

Indicators of Compromise

  • File system anomalies showing new or modified files in unexpected directories outside the artifact storage path
  • Web server logs indicating code execution requests with unusual artifact names containing ../ sequences
  • Unexpected files appearing in the LibreChat client distribution directory (/app/client/dist/)
  • Modified application configuration files or server-side scripts

Detection Strategies

  • Implement file integrity monitoring (FIM) on critical LibreChat directories to detect unauthorized file modifications
  • Configure application-level logging to capture artifact names during code execution and alert on path traversal patterns
  • Deploy web application firewall (WAF) rules to detect and block requests containing path traversal sequences in artifact-related parameters
  • Review server logs for patterns of ../ in code execution request payloads

Monitoring Recommendations

  • Enable verbose logging for the LibreChat artifact storage subsystem to capture filename operations
  • Monitor the filesystem for write operations occurring outside designated artifact storage directories
  • Set up alerts for any modifications to application source code or configuration files on the LibreChat server
  • Implement behavioral analysis to detect authenticated users attempting multiple code executions with unusual artifact names

How to Mitigate CVE-2026-34371

Immediate Actions Required

  • Upgrade LibreChat to version 0.8.4 or later immediately
  • Review file systems for any unexpected files that may indicate prior exploitation
  • Audit artifact storage directories for files with suspicious names or content
  • Consider temporarily disabling the execute_code functionality until patching is complete

Patch Information

The vulnerability has been fixed in LibreChat version 0.8.4. The patch implements proper sanitization of artifact filenames before they are used in file path construction, preventing directory traversal attacks. Organizations should upgrade to 0.8.4 or later to remediate this vulnerability. For additional details, consult the GitHub Security Advisory.

Workarounds

  • Switch from the default local file storage strategy to a cloud-based storage backend that does not rely on local filesystem paths
  • Implement filesystem-level access controls to restrict the LibreChat process from writing outside designated directories
  • Deploy the application in a containerized environment with read-only filesystem mounts for critical directories
  • Use AppArmor or SELinux profiles to restrict file write operations to the intended artifact storage location
bash
# Example: Restrict LibreChat write permissions using filesystem permissions
# Ensure the artifact storage directory is the only writable location

# Create restricted artifact directory
mkdir -p /var/lib/librechat/artifacts
chown librechat:librechat /var/lib/librechat/artifacts
chmod 755 /var/lib/librechat/artifacts

# Make application directories read-only for the service user
chmod 555 /app/client/dist
chattr +i /app/client/dist/*.js

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.