CVE-2026-34371 Overview
A path traversal vulnerability has been identified in LibreChat, a popular open-source ChatGPT clone with additional features. Prior to version 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user.
Critical Impact
Authenticated attackers can write arbitrary files to the server filesystem, potentially enabling remote code execution, configuration tampering, or service disruption.
Affected Products
- LibreChat versions prior to 0.8.4
- Deployments using the default local file storage strategy
- Instances with execute_code functionality enabled
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-34371 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-34371
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The core issue stems from LibreChat's implicit trust of user-controlled input when handling artifact filenames returned from the code execution sandbox.
When users execute code through LibreChat's sandbox environment, the application persists resulting artifacts to the local filesystem. The vulnerability occurs because the application directly concatenates the artifact's name field into the destination path without proper validation or sanitization. This design flaw allows malicious path traversal sequences such as ../ to escape the intended storage directory and write files to arbitrary locations on the server filesystem.
The attack requires network access and user authentication (low privileges), but exploitation has high complexity due to the specific conditions required. The impact is limited to integrity concerns, as the vulnerability enables arbitrary file writes but does not directly expose confidential data or cause system availability issues.
Root Cause
The root cause is insufficient input validation in the artifact persistence logic. When the execute_code sandbox returns an artifact with a user-controlled filename, LibreChat's server-side code directly uses this value in the file path construction without sanitizing directory traversal sequences. The fs.writeFileSync() function then writes the artifact content to whatever path results from this concatenation, enabling attackers to escape the intended artifact storage directory.
Attack Vector
The attack is network-based and requires an authenticated user with access to the code execution functionality. An attacker crafts a malicious artifact filename containing path traversal sequences that, when processed by the server, resolve to a location outside the intended storage directory.
The vulnerability mechanism works as follows: when code execution produces an artifact, the sandbox returns metadata including a name field. LibreChat's artifact handling code takes this name and appends it to the base storage path. Without sanitization, a name like ../../../../../app/client/dist/malicious.js would cause the server to write the artifact content to the application's client distribution directory, potentially overwriting legitimate application files or injecting malicious content.
For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34371
Indicators of Compromise
- File system anomalies showing new or modified files in unexpected directories outside the artifact storage path
- Web server logs indicating code execution requests with unusual artifact names containing ../ sequences
- Unexpected files appearing in the LibreChat client distribution directory (/app/client/dist/)
- Modified application configuration files or server-side scripts
Detection Strategies
- Implement file integrity monitoring (FIM) on critical LibreChat directories to detect unauthorized file modifications
- Configure application-level logging to capture artifact names during code execution and alert on path traversal patterns
- Deploy web application firewall (WAF) rules to detect and block requests containing path traversal sequences in artifact-related parameters
- Review server logs for patterns of ../ in code execution request payloads
Monitoring Recommendations
- Enable verbose logging for the LibreChat artifact storage subsystem to capture filename operations
- Monitor the filesystem for write operations occurring outside designated artifact storage directories
- Set up alerts for any modifications to application source code or configuration files on the LibreChat server
- Implement behavioral analysis to detect authenticated users attempting multiple code executions with unusual artifact names
How to Mitigate CVE-2026-34371
Immediate Actions Required
- Upgrade LibreChat to version 0.8.4 or later immediately
- Review file systems for any unexpected files that may indicate prior exploitation
- Audit artifact storage directories for files with suspicious names or content
- Consider temporarily disabling the execute_code functionality until patching is complete
Patch Information
The vulnerability has been fixed in LibreChat version 0.8.4. The patch implements proper sanitization of artifact filenames before they are used in file path construction, preventing directory traversal attacks. Organizations should upgrade to 0.8.4 or later to remediate this vulnerability. For additional details, consult the GitHub Security Advisory.
Workarounds
- Switch from the default local file storage strategy to a cloud-based storage backend that does not rely on local filesystem paths
- Implement filesystem-level access controls to restrict the LibreChat process from writing outside designated directories
- Deploy the application in a containerized environment with read-only filesystem mounts for critical directories
- Use AppArmor or SELinux profiles to restrict file write operations to the intended artifact storage location
# Example: Restrict LibreChat write permissions using filesystem permissions
# Ensure the artifact storage directory is the only writable location
# Create restricted artifact directory
mkdir -p /var/lib/librechat/artifacts
chown librechat:librechat /var/lib/librechat/artifacts
chmod 755 /var/lib/librechat/artifacts
# Make application directories read-only for the service user
chmod 555 /app/client/dist
chattr +i /app/client/dist/*.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
