Description
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue.
Published: 2026-03-27
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Token theft via header injection
Action: Patch
AI Analysis

Impact

LibreChat versions 0.8.2-rc1 through 0.8.3-rc1 allow user‑created MCP servers to inject arbitrary HTTP headers that are processed on the server side with credential placeholder substitution. An attacker can embed the placeholder {{LIBRECHAT_OPENID_ACCESS_TOKEN}} into a header so that any user who invokes a tool on that MCP server has their OAuth token automatically captured and sent to the attacker. The primary impact is the exfiltration of user authentication tokens, which can be used to impersonate the user or gain unauthorized access to services.

Affected Systems

The affected product is LibreChat, a ChatGPT clone developed by danny‑avila. Vulnerable releases range from 0.8.2‑rc1 to 0.8.3‑rc1 inclusive. The issue was fixed in 0.8.3‑rc2 and later releases, so administrators should upgrade to at least that version to eliminate the risk.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, but the EPSS score is below 1 %, showing a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to host a malicious MCP server and for a victim to execute a tool that contacts that server, so attack feasibility is contingent on user interaction with the compromised server. Given these conditions, the overall risk is moderate but exploitable in environments where user‑created MCP servers are routinely used.

Generated by OpenCVE AI on March 31, 2026 at 05:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LibreChat to version 0.8.3‑rc2 or any newer release that applies the fix
  • If updating immediately is not possible, restrict use of user‑created MCP servers or remove known malicious servers from the configuration
  • Monitor OAuth token usage logs for unexpected redirection or transmission to external hosts
  • Check the LibreChat project repository or vendor announcements for additional security patches or updates

Generated by OpenCVE AI on March 31, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Librechat
Librechat librechat
CPEs cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*
cpe:2.3:a:librechat:librechat:0.8.3:rc1:*:*:*:*:*:*
Vendors & Products Librechat
Librechat librechat

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Danny-avila
Danny-avila libre Chat
Vendors & Products Danny-avila
Danny-avila libre Chat

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue.
Title LibreChat's MCP Server Header Injection Enables OAuth Token Theft
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Danny-avila Libre Chat
Librechat Librechat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T13:46:25.297Z

Reserved: 2026-03-10T15:10:10.657Z

Link: CVE-2026-31951

cve-icon Vulnrichment

Updated: 2026-03-31T13:46:22.158Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:30.397

Modified: 2026-03-30T20:29:45.493

Link: CVE-2026-31951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:49Z

Weaknesses