LibreChat’s MCP OAuth callback endpoint was found to accept and store access tokens without verifying that the browser initiating the callback is logged in or that the logged‑in user matches the flow’s initiator. As a result, an attacker can trick a victim into completing an OAuth flow to that attacker’s instance, resulting in the victim’s OAuth tokens being associated with the attacker’s LibreChat account. Once these tokens are stored, the attacker can access all MCP‑linked services for the victim (e.g., Atlassian, Outlook), effectively achieving an account takeover. The weakness is a missing authentication check for a critical operation (CWE‑306).

CVE‑2026‑31944 affects LibreChat versions from 0.8.2 through 0.8.2‑rc3 inclusive, as indicated by the affected CPEs for 0.8.2, rc1, rc2, and rc3. Updated builds beginning with 0.8.3‑rc1 contain the fix that restores proper session validation.

With a CVSS score of 7.6, the vulnerability is considered high severity. The EPSS score is less than 1%, indicating a low probability of being actively exploited in the wild, and it is not listed in the CISA KEV catalog. Likely exploitation requires the attacker to lure a victim into completing an OAuth flow on the attacker’s LibreChat instance, which is achievable via phishing or malicious links. The attack path is remote and does not require local system compromise, relying solely on the victim’s interaction with the redirect URL.