{"id":"CVE-2025-8850","details":"In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.","modified":"2026-04-10T05:36:28.951915Z","published":"2025-10-30T20:15:39.633Z","references":[{"type":"FIX","url":"https://github.com/danny-avila/librechat/commit/7e4c8a5d0d2dbe5bf8fd272ff6acafb27d24744f"},{"type":"FIX","url":"https://huntr.com/bounties/8e615709-f4de-41e2-b194-f0d91ed7c75e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/danny-avila/librechat","events":[{"introduced":"0"},{"last_affected":"bef5c26bed4e5053bdf1936d6ded2c77035c6ee5"},{"fixed":"7e4c8a5d0d2dbe5bf8fd272ff6acafb27d24744f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.7.9-NA"}]}}],"versions":["librechat-1.8.9","v0.0.1","v0.0.2","v0.0.3","v0.0.6","v0.1.0","v0.1.1","v0.2.0","v0.3.0","v0.3.3","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.4.8","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.5.6","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.6.1","v0.6.10","v0.6.5","v0.6.6","v0.6.9","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.3-rc","v0.7.3-rc2","v0.7.4","v0.7.4-rc1","v0.7.5","v0.7.5-rc1","v0.7.5-rc2","v0.7.6","v0.7.6-rc1","v0.7.7","v0.7.7-rc1","v0.7.8","v0.7.8-rc1","v0.7.9","v0.7.9-rc1","v0.8.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8850.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}