CVE-2024-10366 HIGH

CVE-2024-10366: IDOR in delete attachments in danny-avila/librechat

Vendor Danny-Avila
Product danny-avila/librechat
Weakness CWE-639 · IDOR
Published March 20, 2025
Last update July 15, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
July 15, 2025 Record updated