Description
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue.
Published: 2026-03-27
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: OAuth token exfiltration (Sensitive Information Disclosure).
Action: Patch Now
AI Analysis

Impact

LibreChat versions 0.8.2‑rc1 to 0.8.3‑rc1 allow user‑created MCP servers to inject arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can craft a malicious MCP server with a header containing the placeholder {{LIBRECHAT_OPENID_ACCESS_TOKEN}}, which is replaced with the victim’s OAuth token when a client calls a tool on that server. The stolen token can be used to impersonate the user’s authenticated session, granting the attacker full account access and the ability to impersonate the user for any action the user is authorized to perform.

Affected Systems

This flaw affects LibreChat maintained by danny‑avila, specifically versions 0.8.2‑rc1 through 0.8.3‑rc1. Version 0.8.3‑rc2 contains a fix that removes the vulnerable header injection behaviour. No other versions or vendors are known to be impacted.

Risk and Exploitability

The CVSS score is 6.8, indicating a moderate severity vulnerability. No EPSS data is available, and the issue is not included in the CISA KEV catalog. The attack requires the victim to engage with a crafted MCP server that supplies the malicious header; the victim’s client will replace the placeholder and forward the token to the attacker. Once exfiltrated, the attacker can readily abuse the token to access protected resources. Because the exploit path is relatively simple and does not require additional conditions, the risk is significant for environments where users interact with untrusted MCP servers.

Generated by OpenCVE AI on March 27, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the update to LibreChat v0.8.3‑rc2 or later.
  • If an update is not feasible immediately, disable or block the ability for users to configure custom MCP servers that can inject headers.
  • Monitor OAuth token usage for unusual activity and invalidate compromised tokens promptly.

Generated by OpenCVE AI on March 27, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue.
Title LibreChat's MCP Server Header Injection Enables OAuth Token Theft
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:29:25.892Z

Reserved: 2026-03-10T15:10:10.657Z

Link: CVE-2026-31951

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T20:16:30.397

Modified: 2026-03-27T20:16:30.397

Link: CVE-2026-31951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:32Z

Weaknesses