Skip to main content

LibreChat CVE-2026-32625

CRITICAL
Information Exposure (CWE-200)
2026-06-02 security-advisories@github.com
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 23:30 vuln.today

DescriptionGitHub Advisory

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can create a malicious MCP server configuration with a URL pointing to an attacker-controlled domain containing environment variable references, causing the LibreChat server to connect to the attacker's server and transmit critical secrets such as CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI in the request URL. This enables full compromise of the installation's cryptographic materials and database credentials without requiring administrative privileges. This is patched in version 0.8.4-rc1.

AnalysisAI

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to transmit CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI to an attacker-controlled host. No public exploit identified at time of analysis, and the issue is fixed in 0.8.4-rc1.

Technical ContextAI

LibreChat is a multi-provider ChatGPT-style web application that integrates with MCP (Model Context Protocol) servers configured per user. During validation of user-submitted MCP server URLs, the application performs ${VAR} interpolation against the Node.js process.env on the LibreChat server. Because the interpolation runs server-side before the outbound MCP connection is initiated, any environment variable held by the host process - including cryptographic keys (CREDS_KEY, CREDS_IV), the JWT signing secret, and the MongoDB connection string - can be embedded directly into the request URL sent to the remote host. The underlying weakness is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), driven by an unsafe templating step inside the configuration parser that fails to distinguish between trusted operator-supplied values and untrusted user input.

RemediationAI

Upgrade to LibreChat 0.8.4-rc1 or later, which is the vendor-confirmed patched release per GHSA-4pcc-j6m6-wcwx (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-4pcc-j6m6-wcwx). Where immediate upgrade is not possible, disable the MCP server integration entirely or restrict MCP configuration to trusted administrators only by removing the ability for standard users to define MCP server URLs, accepting the trade-off that end-user MCP functionality is lost. Additionally, because secrets may already have been exfiltrated by any user on an exposed instance, rotate CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI after patching, invalidate existing JWTs (forcing user re-login), and review outbound network logs for connections to unexpected MCP hosts during the exposure window; closing self-registration on public deployments is also recommended as a compensating control until upgrade is complete.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2024-10363 MEDIUM POC
5.4 Mar 20

In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Rated medium severity (CVS

Share

CVE-2026-32625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy