What is CVE-2026-33265?

CVE-2026-33265 is a medium-severity vulnerability in Librechat, classified under Incorrect Resource Transfer Between Spheres. CVSS score: 6.3/10. Published 2026-03-18.

How severe is CVE-2026-33265?

Medium severity. CVSS v3 base score is 6.3 out of 10.

Vulnerability in Librechat

CVE-2026-33265

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API.

EPSS: 0.001 (22.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L.

Affected products

Librechat — versions 0.8.1-rc2

Weakness classification (CWE)

CWE-669 — Incorrect Resource Transfer Between Spheres

References

github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251205-01_LibreCha…
www.openwall.com/lists/oss-security/2026/03/18/3

Frequently asked questions

What is CVE-2026-33265?: CVE-2026-33265 is a medium-severity vulnerability in Librechat, classified under Incorrect Resource Transfer Between Spheres. CVSS score: 6.3/10. Published 2026-03-18.
How severe is CVE-2026-33265?: Medium severity. CVSS v3 base score is 6.3 out of 10.