CVE-2026-31949 MEDIUM

CVE-2026-31949: LibreChat Denial of Service (DoS) via Unhandled Exception in DELETE /api/convos

Vendor Danny-Avila
Product LibreChat
Weakness CWE-248
Published March 13, 2026
Last update March 16, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service (DoS) vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler attempts to destructure req.body.arg without validating that it exists. The server crashes due to an unhandled TypeError that bypasses Express error handling middleware and triggers process.exit(1). This vulnerability is fixed in 0.8.3-rc1.

Key dates

02Disclosure timeline

March 13, 2026 CVE published
March 16, 2026 Record updated