CVE-2026-31950 - Vulnerability Details

- LibreChat's IDOR in SSE Stream Subscription Allows Reading Other Users' Chats

Description

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint `/api/agents/chat/stream/:streamId` does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and read another user's real-time chat content, including messages, AI responses, and tool invocations. Version 0.8.2 patches the issue.

Published: 2026-03-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an Insecure Direct Object Reference in LibreChat's SSE streaming endpoint, permitting an authenticated user who knows or guesses a stream identifier to receive real‑time chat data belonging to another user. This leak can reveal private messages, AI responses, and tool usage, thereby compromising confidentiality. The weakness corresponds to CWE‑284 (Improper Access Control) and CWE‑639 (Privilege Dropping).

Affected Systems

The affected product is LibreChat by Danny Avila, specifically the release candidates version 0.8.2‑rc2 and 0.8.2‑rc3. The issue is resolved in the stable 0.8.2 release. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS v3.1 base score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation. The vulnerability is not present in CISA’s KEV catalog. An attacker must be authenticated and must determine a valid stream ID; the missing ownership check allows subscription to any stream ID, which is the likely attack vector for insider or compromised account scenarios.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

danny-avila

LibreChat

affected

Version	Status	Constraints
`>= 0.8.2-rc2, < 0.8.2`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:librechat:librechat:0.8.2:rc2::::::
	cpe:2.3:a:librechat:librechat:0.8.2:rc3::::::

No data.

Vendor Product Confidence Versions

Danny-avila

Libre Chat

98%

Version	Status	Scheme	Platform
`[0.8.2-rc2,0.8.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade LibreChat to version 0.8.2 or later, which contains the fix.
Verify that all deployed instances have been updated to the patched release.
Audit application logs for unexpected SSE connections that may indicate exploitation.
If an immediate update is not possible, restrict access to the SSE endpoint to users with verified ownership or implement manual authorization checks.

Generated by OpenCVE AI on March 31, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f6rf-vm44-wh5g

History

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Librechat Librechat librechat
Weaknesses		CWE-639
CPEs		cpe:2.3:a:librechat:librechat:0.8.2:rc2:::::: cpe:2.3:a:librechat:librechat:0.8.2:rc3::::::
Vendors & Products		Librechat Librechat librechat

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Danny-avila Danny-avila libre Chat
Vendors & Products		Danny-avila Danny-avila libre Chat

Fri, 27 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint `/api/agents/chat/stream/:streamId` does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and read another user's real-time chat content, including messages, AI responses, and tool invocations. Version 0.8.2 patches the issue.
Title		LibreChat's IDOR in SSE Stream Subscription Allows Reading Other Users' Chats
Weaknesses		CWE-284
References		https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f6rf-vm44-wh5g
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Danny-avila Libre Chat

Librechat Librechat

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T19:25:25.007Z

Updated: 2026-03-27T19:55:24.141Z

Reserved: 2026-03-10T15:10:10.657Z

Link: CVE-2026-31950

Vulnrichment

Updated: 2026-03-27T19:55:21.101Z

NVD

Status : Analyzed

Published: 2026-03-27T20:16:30.217

Modified: 2026-03-30T20:32:16.933

Link: CVE-2026-31950

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T20:00:50Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object