Loading the catalogue…
Loading the catalogue…
“Genuinely Sovereign when self-hosted, but 13 CVEs in 90 days — including a CVSS 9.9 MCP stdio RCE — demand strict patch discipline before any production deployment.”
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
Public security, privacy and governance advisories that are still open. Each row carries a source link — these are factual claims, not editorial judgements.
lowUpstream change on librechat: github_last_push '2026-06-23T02:49:58Z' → '2026-06-30T02:54:43Z'
other · open
Source ↗lowUpstream change on librechat: github_last_push '2026-06-16T03:13:05Z' → '2026-06-23T02:49:58Z'
other · open
Source ↗lowUpstream change on librechat: github_last_push '2026-06-09T03:47:07Z' → '2026-06-16T03:13:05Z'
other · open
Source ↗lowUpstream change on librechat: github_last_push '2026-06-02T05:17:55Z' → '2026-06-09T03:47:07Z', cve_count 16 → 29
other · open
Source ↗lowUpstream change on librechat: github_last_push '2026-05-19T01:40:17Z' → '2026-06-02T05:17:55Z'
other · open
Source ↗lowUpstream change on librechat: github_last_push '2026-05-12T06:04:52Z' → '2026-05-19T01:40:17Z'
other · open
Source ↗lowUpstream change on librechat: github_last_push '2026-05-05T03:22:32Z' → '2026-05-12T06:04:52Z'
other · open
Source ↗lowUpstream change on librechat: github_last_push None → '2026-05-05T03:22:32Z', cve_count None → 16
other · open
Source ↗How LibreChat moves data between the client, the inference endpoint and any vendor-owned services.
OpenAI-compatible. Point LibreChat at Stav, set the header, you're done.
# LibreChat on Stav AI # OpenAI-compatible — drop the base URL in, swap your key, ship. OPENAI_API_KEY=$STAV_API_KEY OPENAI_BASE_URL=https://api.stav.ai/v1 # Header — Stav attributes usage to your registered app and respects # per-app routing policy. Send when the app supports custom headers. X-Stav-App-Id: librechat
Setup notes · Read about sovereign routing →
What a model must support to work well with LibreChat. Match these against the Stav model catalogue to pick an endpoint.
Live usage rolls up every five minutes. We surface the model mix once enough requests have flowed through this app.
Live usage rolls up every five minutes. We surface the 12-week trend once enough requests have flowed through this app.