LibreChat CVE-2026-31942
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys management endpoint (PUT /api/keys). Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, any authenticated user can inject a userId parameter in the request body to overwrite any other user's API keys (e.g., OpenAI, Anthropic, Azure). This allows an attacker to replace a victim's API key configuration, potentially routing the victim's conversations through attacker-controlled keys or denying service by providing invalid keys. This is patched in version 0.8.3-rc1.
AnalysisAI
Cross-user API key overwrite in LibreChat versions up to and including 0.7.6 allows any authenticated user to replace another user's stored provider API keys (OpenAI, Anthropic, Azure) by injecting a userId parameter into PUT /api/keys requests. The flaw stems from an Insecure Direct Object Reference where the JavaScript spread operator overrides the server-set authenticated user ID, enabling conversation hijacking or denial of service. No public exploit identified at time of analysis, and the issue is fixed in 0.8.3-rc1.
Technical ContextAI
LibreChat (cpe:2.3:a:danny-avila:librechat) is an open-source, self-hosted multi-provider chat interface that brokers requests to upstream LLM APIs using per-user stored credentials. The root cause is CWE-862 (Missing Authorization): the PUT /api/keys handler constructs its update document by spreading the request body after assigning req.user.id, so a client-supplied userId in the body shadows the trusted server value and the database write targets an arbitrary account. This is a classic order-of-assignment IDOR exacerbated by trusting client JSON in a privileged write path.
RemediationAI
Upgrade to LibreChat 0.8.3-rc1 or later, which is the vendor-released patched version per advisory GHSA-5jcj-rh68-cgj7 (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5jcj-rh68-cgj7). If immediate upgrade is not possible, disable open user registration so only trusted users can reach the authenticated endpoint, place an authenticating reverse proxy or WAF rule in front of PUT /api/keys to strip or reject any userId field in the request body, and rotate all stored provider API keys (OpenAI, Anthropic, Azure) after patching since prior overwrites may be undetected; the trade-off of WAF body-rewriting is potential breakage of legitimate future schema changes, and forcing key rotation will require users to re-enter credentials.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today