Skip to main content

Librechat EUVDEUVD-2026-16765

| CVE-2026-31945 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-27 GitHub_M
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.8.3-rc1
EUVD ID Assigned
Mar 27, 2026 - 19:45 euvd
EUVD-2026-16765
Analysis Generated
Mar 27, 2026 - 19:45 vuln.today
CVE Published
Mar 27, 2026 - 19:23 nvd
HIGH 7.7

DescriptionGitHub Advisory

LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch.

AnalysisAI

Server-side request forgery in LibreChat 0.8.2-rc2 through 0.8.2 allows authenticated users to access internal network resources via incomplete DNS validation bypass. Despite a prior SSRF patch, the current hostname validation fails to check if DNS resolution points to private IP addresses, enabling attackers to reach internal RAG APIs and cloud metadata endpoints. CVSS 7.7 with network-based attack vector and low complexity. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV). Patch released in version 0.8.3-rc1.

Technical ContextAI

This vulnerability affects LibreChat (cpe:2.3:a:danny-avila:librechat), an open-source ChatGPT alternative with extended capabilities including agent actions and Model Context Protocol (MCP) support. The flaw represents CWE-918 (Server-Side Request Forgery) where inadequate input validation in agent action or MCP handlers permits DNS rebinding attacks. The previous SSRF mitigation implemented hostname-based filtering but failed to validate the resolved IP addresses post-DNS lookup. This allows attackers to leverage DNS entries that resolve to RFC 1918 private address spaces (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or link-local addresses (169.254.0.0/16), circumventing hostname blocklists. The vulnerability specifically targets environments where LibreChat integrates with internal services like Retrieval-Augmented Generation APIs or operates in cloud environments with accessible metadata services (AWS 169.254.169.254, Azure 169.254.169.254, GCP metadata.google.internal).

RemediationAI

Upgrade immediately to LibreChat version 0.8.3-rc1 or later, which implements comprehensive IP address validation post-DNS resolution to prevent private IP access. The patch extends the prior hostname-based filtering with explicit checks for private IP ranges (RFC 1918), loopback addresses, link-local addresses, and cloud metadata endpoints. Organizations unable to upgrade immediately should implement network-level egress filtering to block LibreChat server access to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 127.0.0.0/8) and cloud metadata services. Additionally, restrict authenticated user permissions where feasible and monitor agent action usage for suspicious internal hostname references. Review application logs for requests to private IP addresses or metadata endpoints as potential indicators of exploitation attempts. Full remediation details and patch download available in the GitHub security advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

EUVD-2026-16765 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy