Skip to main content

Librechat CVE-2026-31951

| EUVDEUVD-2026-16769 MEDIUM
Information Exposure (CWE-200)
2026-03-27 GitHub_M
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 19:45 euvd
EUVD-2026-16769
Analysis Generated
Mar 27, 2026 - 19:45 vuln.today
CVE Published
Mar 27, 2026 - 19:29 nvd
MEDIUM 6.8

DescriptionGitHub Advisory

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing {{LIBRECHAT_OPENID_ACCESS_TOKEN}} (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue.

AnalysisAI

LibreChat versions 0.8.2-rc1 through 0.8.3-rc1 leak OAuth access tokens when authenticated users interact with malicious MCP servers, which can inject credential placeholders into HTTP headers that are automatically substituted with sensitive tokens. An attacker can create a rogue MCP server containing headers like {{LIBRECHAT_OPENID_ACCESS_TOKEN}} to harvest victim credentials during tool execution; the vulnerability is fixed in version 0.8.3-rc2. No public exploit code or CISA KEV listing is documented, but the attack requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world impact.

Technical ContextAI

LibreChat implements MCP (Model Context Protocol) server integration that allows users to create custom server configurations. The vulnerability stems from unsafe credential placeholder substitution in HTTP headers (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). When a user invokes tools on an MCP server, LibreChat processes headers and replaces templated placeholders such as {{LIBRECHAT_OPENID_ACCESS_TOKEN}} with actual OAuth tokens obtained during user authentication. An attacker-controlled MCP server definition can include these placeholders in response headers or request interception points, allowing token exfiltration without proper access control or input validation. The attack leverages LibreChat's trust in user-created MCP server definitions and its automatic token injection mechanism.

RemediationAI

Upgrade to LibreChat version 0.8.3-rc2 or later, which implements secure header handling and disables automatic credential placeholder substitution in MCP server headers. Users unable to upgrade immediately should avoid configuring or using untrusted MCP servers and audit existing MCP server definitions for suspicious header configurations. Detailed patching guidance is available in the GitHub security advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

CVE-2026-31951 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy