Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.key` and `oauth.client_secret`. This allows viewers of a shared MCP server to exfiltrate the underlying provider credentials. Version 0.8..4 contains a patch. Other remediations include: never returning decrypted admin-managed secrets to non-owners; redacting apiKey.key and oauth.client_secret from all API responses consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern; and, if owners need to edit configs without re-entering secrets, preserving secrets server-side and returning placeholders instead of plaintext.
Published: 2026-06-02
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In LibreChat versions up to 0.8.3, the API endpoints /api/mcp/servers and /api/mcp/servers/:serverName return decrypted admin‑managed configuration values, including apiKey.key and oauth.client_secret, to any user who has only view rights to an MCP server. The vulnerability is a direct data confidentiality breach (CWE‑201) that allows attackers to exfiltrate sensitive credentials for the underlying AI provider. The impact is a leakage of authenticated API credentials that could facilitate unauthorized access to external services and potential misuse of the AI platform.

Affected Systems

LibreChat from the danny-avila project. Versions 0.8.0 through 0.8.3 are affected; version 0.8.4 and later contain a patch that removes the leaked information from responses.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. EPSS score is <1% and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the LibreChat server and only view permission on an MCP server; no privilege escalation is needed. The likely attack vector is a malicious or compromised viewer sending standard API calls to the exposed endpoints. The risk is therefore moderate, with potential for credential theft that could compromise downstream services.

Generated by OpenCVE AI on June 4, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreChat to version 0.8.4 or later to apply the vendor patch
  • Configure the LibreChat instance to redact apiKey.key and oauth.client_secret from all MCP server API responses, preferably returning only boolean presence indicators or placeholders
  • Review and restrict MCP server view permissions, monitor API access logs for unauthorized /api/mcp/servers requests

Generated by OpenCVE AI on June 4, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Librechat
Librechat librechat
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*
Vendors & Products Librechat
Librechat librechat

Wed, 03 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Danny-avila
Danny-avila libre Chat
Vendors & Products Danny-avila
Danny-avila libre Chat

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.key` and `oauth.client_secret`. This allows viewers of a shared MCP server to exfiltrate the underlying provider credentials. Version 0.8..4 contains a patch. Other remediations include: never returning decrypted admin-managed secrets to non-owners; redacting apiKey.key and oauth.client_secret from all API responses consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern; and, if owners need to edit configs without re-entering secrets, preserving secrets server-side and returning placeholders instead of plaintext.
Title LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Danny-avila Libre Chat
Librechat Librechat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T19:00:27.312Z

Reserved: 2026-05-07T15:30:10.876Z

Link: CVE-2026-44653

cve-icon Vulnrichment

Updated: 2026-06-03T18:56:11.441Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T23:16:38.123

Modified: 2026-06-04T19:17:38.770

Link: CVE-2026-44653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T21:00:15Z

Weaknesses