Skip to main content

LibreChat EUVDEUVD-2026-39457

| CVE-2026-54030 CRITICAL
Origin Validation Error (CWE-346)
2026-06-25 GitHub_M
9.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
HIGH
qualitative
NVD
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
9.3 CRITICAL

Network OAuth flow with no attacker privileges but requires an operator to add the malicious server (UI:R); token theft crosses to another server (S:C) breaching confidentiality and enabling integrity actions, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 30, 2026 - 00:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 00:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 00:07 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 00:07 NVD
HIGH CRITICAL
CVSS changed
Jun 30, 2026 - 00:07 NVD
8.0 (HIGH) 9.3 (CRITICAL)
Patch available
Jun 25, 2026 - 18:03 EUVD
Analysis Generated
Jun 25, 2026 - 17:16 vuln.today

DescriptionNVD

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata (RFC 9728) matches the configured MCP server URL, allowing a malicious MCP server to steal access tokens intended for a legitimate server. This vulnerability is fixed in 0.8.5.

AnalysisAI

Access-token theft in LibreChat before 0.8.5 lets a malicious MCP (Model Context Protocol) server hijack OAuth tokens minted for a legitimate server, because the client never checks that the RFC 9728 resource parameter matches the configured MCP server URL. Any LibreChat operator who connects their instance to an attacker-controlled MCP server can have the OAuth access tokens intended for a trusted server silently exfiltrated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Stand up malicious MCP server
Delivery
Lure operator to add server
Exploit
Serve crafted RFC 9728 resource metadata
Execution
LibreChat skips resource validation
Persist
Capture token meant for legitimate server
Impact
Replay token against trusted server

Vulnerability AssessmentAI

Exploitation Exploitation requires that LibreChat (prior to 0.8.5) be configured to use its MCP OAuth integration and that an operator/user connect the instance to an attacker-controlled MCP server - that act of trusting and adding the malicious server is the core prerequisite (reflected as UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be read together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious MCP server and lures a LibreChat administrator into adding it (e.g., advertised as a useful tool integration). When the operator initiates the OAuth flow, the rogue server returns Protected Resource metadata whose 'resource' value points at a legitimate server; LibreChat, not validating the resource against the configured URL, hands over or exposes the access token, which the attacker then replays against the trusted server. …
Remediation Vendor-released patch: upgrade to LibreChat 0.8.5, which adds validation that the OAuth Protected Resource metadata 'resource' parameter matches the configured MCP server URL; see the advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gvpj-vm2f-2m23. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all LibreChat instances and current versions; isolate any running versions before 0.8.5 from connecting to new MCP servers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

EUVD-2026-39457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy