CVE-2026-31949 is a Denial of Service vulnerability in the LibreChat application, a ChatGPT clone with additional features. The vulnerability resides in the DELETE /api/convos endpoint in versions prior to 0.8.3-rc1. Specifically, the route handler attempts to destructure req.body.arg without first verifying that req.body.arg exists. If an authenticated attacker sends a malformed request lacking the expected argument, this leads to an unhandled TypeError. The error bypasses the Express framework's error handling middleware and causes the Node.js process to terminate by calling process.exit(1). This results in a complete crash of the server process, causing denial of service to legitimate users. The vulnerability requires authentication but no additional user interaction. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, and no impact on confidentiality or integrity but high impact on availability. The issue was publicly disclosed on March 13, 2026, and fixed in LibreChat version 0.8.3-rc1. No known exploits are reported in the wild at this time.

The primary impact of this vulnerability is denial of service, which can disrupt availability of LibreChat services. Organizations relying on LibreChat for chatbot or AI conversational services may experience unexpected server crashes, leading to downtime and degraded user experience. Since the vulnerability requires authentication, the attacker must have valid credentials or compromised accounts, which limits exposure but does not eliminate risk. The crash of the Node.js process could also lead to cascading failures if LibreChat is part of a larger service ecosystem. While confidentiality and integrity are not affected, the availability impact can be significant for businesses or services that depend on continuous chatbot operation. Recovery requires restarting the server or applying the patch. The lack of user interaction simplifies exploitation once authentication is obtained. Overall, the vulnerability poses a moderate operational risk to organizations using vulnerable LibreChat versions.

Organizations should immediately upgrade LibreChat to version 0.8.3-rc1 or later, where this vulnerability is fixed. If upgrading is not immediately possible, implement strict input validation on the DELETE /api/convos endpoint to ensure req.body.arg exists before destructuring. Employ robust error handling middleware that can catch unhandled exceptions and prevent process termination. Limit and monitor authentication credentials to reduce the risk of attacker access. Deploy runtime process monitoring and automatic restart mechanisms to minimize downtime in case of crashes. Consider isolating LibreChat instances behind load balancers or reverse proxies that can detect and mitigate abnormal request patterns. Regularly audit logs for malformed requests targeting the vulnerable endpoint. Finally, maintain an incident response plan to quickly recover from potential DoS events.