Description
LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch.
Published: 2026-03-27
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF)
Action: Apply Patch
AI Analysis

Impact

LibreChat versions 0.8.2‑rc2 through 0.8.2 suffer a server‑side request forgery flaw due to inadequate hostname validation. The vulnerability allows an attacker to craft requests that resolve DNS names to private IP addresses, enabling access to internal RAG APIs, cloud instance metadata, or other protected network services. This yields unauthorized data disclosure and potential lateral movement inside the network.

Affected Systems

The affected product is LibreChat by danny‑avila, specifically versions 0.8.2‑rc2 up to and including 0.8.2. The reported fix is incorporated in version 0.8.3‑rc1, which introduces proper DNS resolution checks and private‑IP filtering.

Risk and Exploitability

With a CVSS score of 7.7, the flaw is considered high severity, yet the EPSS score is below 1 % and the vulnerability is not listed in the KEV catalog, indicating a low likelihood of widespread exploitation in the near term. The attacker’s payload would likely be delivered through the agent actions or MCP interface, far from the industry‑standard network perimeter. If exploited, the attacker could read or modify internal resources and potentially pivot to other services, but the impact is limited to the system the LibreChat instance runs on with sufficient outbound access.

Generated by OpenCVE AI on March 31, 2026 at 05:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LibreChat installation to version 0.8.3‑rc1 or later to apply the official fix.
  • If an upgrade cannot be performed immediately, restrict outbound traffic from the LibreChat server so that DNS queries and HTTP requests are only allowed to trusted public endpoints.
  • Configure firewall rules to block connections from the LibreChat process to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
  • Regularly audit server logs for unexpected outbound requests to internal addresses or cloud metadata services.

Generated by OpenCVE AI on March 31, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Librechat
Librechat librechat
CPEs cpe:2.3:a:librechat:librechat:0.8.2:-:*:*:*:*:*:*
cpe:2.3:a:librechat:librechat:0.8.2:rc2:*:*:*:*:*:*
cpe:2.3:a:librechat:librechat:0.8.2:rc3:*:*:*:*:*:*
Vendors & Products Librechat
Librechat librechat

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Danny-avila
Danny-avila libre Chat
Vendors & Products Danny-avila
Danny-avila libre Chat

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch.
Title LibreChat Server-Side Request Forgery using DNS resolution
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Danny-avila Libre Chat
Librechat Librechat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T19:00:53.475Z

Reserved: 2026-03-10T15:10:10.656Z

Link: CVE-2026-31945

cve-icon Vulnrichment

Updated: 2026-03-30T19:00:41.187Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:30.060

Modified: 2026-03-30T20:35:03.990

Link: CVE-2026-31945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:51Z

Weaknesses