Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Network endpoint, low complexity, and a valid session (PR:L) with no interaction; no data disclosure (C:N) but 2FA secret overwrite and lockout give I:H and A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false - all without requiring any TOTP or backup code verification. An attacker with a valid session token can completely take over a victim's 2FA, locking the legitimate user out of their own two-factor authentication. This vulnerability is fixed in 0.8.4-rc1.
AnalysisAI
Two-factor authentication takeover in LibreChat before 0.8.4-rc1 lets any authenticated user — or an attacker wielding a stolen session token — call the GET /api/auth/2fa/enable endpoint to silently overwrite an account's existing TOTP secret, regenerate backup codes, and flip twoFactorEnabled to false, all without TOTP or backup-code verification. The flaw destroys the victim's working second factor and can lock the legitimate owner out of their own 2FA. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Inventory all LibreChat instances and identify versions running before 0.8.4-rc1. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f
An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests
LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through
LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (
LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file
An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat
LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th
LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v
{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39454