CVE-2026-31949 is a Denial of Service vulnerability identified in the LibreChat application, a ChatGPT clone with additional features. The vulnerability resides in the DELETE /api/convos API endpoint in versions prior to 0.8.3-rc1. Specifically, the endpoint handler attempts to destructure the property req.body.arg without verifying that req.body or arg exists. When an authenticated attacker sends a malformed request missing the expected argument, this results in an unhandled TypeError. Because the error bypasses Express.js error handling middleware, the Node.js process calls process.exit(1), causing the server to crash and become unavailable. This vulnerability is classified under CWE-248 (Uncaught Exception) and does not require user interaction but does require the attacker to be authenticated. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. No known exploits are reported in the wild. The issue is resolved in LibreChat version 0.8.3-rc1 by adding proper validation to ensure req.body.arg exists before destructuring, preventing the unhandled exception and server crash.

The primary impact of this vulnerability is a Denial of Service condition, where an attacker with valid credentials can crash the LibreChat server, causing service unavailability. This can disrupt communication and chatbot services relying on LibreChat, potentially affecting business operations, customer support, or internal workflows. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized data modification are not direct concerns. However, repeated exploitation could degrade user trust and availability of critical AI-driven chat services. Organizations using LibreChat in production environments, especially those exposing the API endpoint to authenticated users, face risks of service interruptions. The requirement for authentication limits the attack surface but does not eliminate risk, particularly in environments with many users or weak access controls.

Organizations should immediately upgrade LibreChat to version 0.8.3-rc1 or later, where this vulnerability is fixed. In addition, implement strict input validation on all API endpoints to ensure expected request body parameters exist before destructuring or processing. Employ robust error handling middleware in Express.js to catch unexpected exceptions and prevent server crashes. Limit access to the DELETE /api/convos endpoint by enforcing strong authentication and authorization controls, minimizing the number of users with deletion privileges. Monitor server logs for repeated malformed requests or crashes indicative of exploitation attempts. Consider deploying rate limiting or anomaly detection to detect and block suspicious request patterns. Regularly audit and update dependencies and monitor security advisories for LibreChat and related components.