Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Network endpoint with no UI and low complexity, but a valid session is required (PR:L); regenerating backup codes is a high integrity hit (I:H) with minor confidentiality exposure (C:L) and no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
7DescriptionNVD
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can silently replace a victim's backup codes and use them to bypass 2FA login or disable 2FA entirely. This vulnerability is fixed in 0.8.4-rc1.
AnalysisAI
Authentication-bypass weakness in LibreChat before 0.8.4-rc1 lets an attacker who already holds a valid session silently regenerate all of a victim's two-factor backup codes via POST /api/auth/2fa/backup/regenerate, which never asks for a current TOTP token or an existing backup code. With fresh codes in hand, the attacker can bypass 2FA at login or turn 2FA off entirely, neutralizing the account's second factor. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the attacker to already hold a valid authenticated session token for the target LibreChat account (PR:L) and an account that has 2FA enabled with backup codes available; the specific exploited feature is the POST /api/auth/2fa/backup/regenerate endpoint, which omits any TOTP-or-existing-backup-code re-verification. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker steals or hijacks a logged-in user's LibreChat session token (e.g., via XSS, a leaked cookie, or a shared/compromised device) and sends a single POST to /api/auth/2fa/backup/regenerate. The server returns a brand-new set of backup codes without prompting for the victim's TOTP, letting the attacker log in past 2FA or disable 2FA outright; a proof-of-concept for this behavior is acknowledged in the SSVC data. |
| Remediation | Vendor-released patch: 0.8.4-rc1 - upgrade LibreChat to 0.8.4-rc1 or later as the primary fix, per advisory GHSA-h59w-x9h4-m6gv (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-h59w-x9h4-m6gv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all LibreChat instances and their current versions; assess scope based on number of active users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests
LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through
LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file
An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat
LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th
LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v
{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39456