FKIE_CVE-2026-31944

Vulnerability from fkie_nvd - Published: 2026-03-13 19:54 - Updated: 2026-03-17 12:39
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Summary
LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redirect URL is logged in or that the logged-in user matches the initiator. An attacker can send the authorization URL to a victim; when the victim completes the flow, the victim’s OAuth tokens are stored on the attacker’s LibreChat account, enabling account takeover of the victim’s MCP-linked services (e.g. Atlassian, Outlook). This vulnerability is fixed in 0.8.3-rc1.
References
security-advisories@github.comhttps://github.com/danny-avila/LibreChat/security/advisories/GHSA-vf7j-7mrx-hp7gExploit, Vendor Advisory
Impacted products
Vendor Product Version
librechat librechat 0.8.2
librechat librechat 0.8.2
librechat librechat 0.8.2
librechat librechat 0.8.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:librechat:librechat:0.8.2:-:*:*:*:*:*:*",
              "matchCriteriaId": "8D828ED6-3F44-4DD1-B29F-62D8977AF33A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:librechat:librechat:0.8.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "8E26DE8F-E11A-4052-B9FE-59AD6B9AFD03",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:librechat:librechat:0.8.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "21865C8B-C628-4275-A552-89F64EF22918",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:librechat:librechat:0.8.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "47A1B487-1A7B-4E06-8503-56E7D349FAA2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redirect URL is logged in or that the logged-in user matches the initiator. An attacker can send the authorization URL to a victim; when the victim completes the flow, the victim\u2019s OAuth tokens are stored on the attacker\u2019s LibreChat account, enabling account takeover of the victim\u2019s MCP-linked services (e.g. Atlassian, Outlook). This vulnerability is fixed in 0.8.3-rc1."
    },
    {
      "lang": "es",
      "value": "LibreChat es un clon de ChatGPT con caracter\u00edsticas adicionales. Desde 0.8.2 hasta 0.8.2-rc3, el endpoint de callback OAuth de MCP (Model Context Protocol) acepta la redirecci\u00f3n del proveedor de identidad y almacena tokens OAuth para el usuario que inici\u00f3 el flujo, sin verificar que el navegador que accede a la URL de redirecci\u00f3n est\u00e9 logueado o que el usuario logueado coincida con el iniciador. Un atacante puede enviar la URL de autorizaci\u00f3n a una v\u00edctima; cuando la v\u00edctima completa el flujo, los tokens OAuth de la v\u00edctima se almacenan en la cuenta de LibreChat del atacante, permitiendo la toma de control de la cuenta de los servicios vinculados a MCP de la v\u00edctima (p. ej., Atlassian, Outlook). Esta vulnerabilidad se corrige en 0.8.3-rc1."
    }
  ],
  "id": "CVE-2026-31944",
  "lastModified": "2026-03-17T12:39:41.723",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-13T19:54:39.590",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vf7j-7mrx-hp7g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.