CVE-2026-54036

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user or attacker with a stolen session even when 2FA is already fully enabled on the account. This endpoint overwrites the existi...

Lovable VDP: Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable AI)

The API endpoint /workspaces//tool-preferences/aigateway/enable did not enforce proper authorization checks. As a result, an account with the Editor role was able to disable the workspace-wide admin-only Lovable AI feature, which powers key AI functionalities across the workspace...