CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

CVE-2026-33124

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...

PT-2026-28529

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.2 Description OpenBao, an open source identity-based secrets management system, does not prompt for user confirmation when logging in via JWT/OIDC with a role configured with callback mode set to direct. This allo...

PT-2026-28530

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.2 Description OpenBao, an open source identity-based secrets management system, is susceptible to Reflected Cross-Site Scripting XSS through the error description parameter during failed authentication attempts wh...

CVE-2026-33322

MinIO is a high-performance object storage system. From RELEASE.2022-11-08T05-27-07Z to before RELEASE.2026-03-17T21-25-16Z, a JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and...

PT-2026-27613

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6 Description NATS-Server, a high-performance server for NATS.io, a cloud and edge native messaging system, contains an issue where MQTT passwords are incorrectly...

CVE-2026-33124

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...

CVE-2026-33124 Frigate has insecure password change functionality

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/username/password endpoint. Changing a password does not...

BIT-CEPH-2024-48916 Ceph is vulnerable to authentication bypass through RadosGW

Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a kno...

PT-2026-26781

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.7.1 Description Langflow is a tool for building and deploying AI-powered agents and workflows. In the download profile picture function of the /profile pictures/folder name/file name API endpoint, the folder name a...

Frigate 授权问题漏洞

Frigate is a complete native NVR developed by Blake Blackshear, designed specifically for home assistants with AI object detection capabilities. Versions of Frigate prior to 0.17.0-beta1 contained an authorization vulnerability. This vulnerability stemmed from the fact that changing passwords did...

GHSA-5CX5-WH4M-82FH MinIO has JWT Algorithm Confusion in OIDC Authentication

Impact What kind of vulnerability is it? Who is impacted? A JWT algorithm confusion vulnerability in MinIO's OpenID Connect authentication allows an attacker who knows the OIDC ClientSecret to forge arbitrary identity tokens and obtain S3 credentials with any policy, including consoleAdmin. An...

EUVD-2025-208825

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

CVE-2026-33265

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API...

CVE-2026-33265

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API...

CVE-2026-33265

The vulnerability CVE-2026-33265 affects LibreChat 0.8.1-rc2, where a logged-in user can obtain a JWT for both the LibreChat API and the RAG API. The connected documents confirm the affected product and the exact outcome (JWTs issued to an authenticated user), but they do not provide root cause d...

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

PT-2026-26053

🟠 CVE-2025-41258 - High LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API. https://t.co/MJXOI2sVrJ https://t.co/WsKiIkw0M2...

PT-2026-26054

CVE-2026-33265 In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API. https://t.co/i9mMVjDhcg...