Vulnerability Database

299,038

Total vulnerabilities in the database

CVE-2024-10366

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.

Published: Mar 20, 2025
Updated: Jul 15, 2025
CVE: CVE-2024-10366
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-284
CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
librechat / librechat	0.7.5-rc2	0.7.5-rc2.x

https://github.com/danny-avila/librechat/commit/a350443661d001ac55787741969a75d94ca14116
https://huntr.com/bounties/cde47cf8-dc81-46ab-b472-f7e44a981a7e

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo