Impact
LibreChat’s MCP OAuth flow does not validate the resource parameter from the OAuth Protected Resource metadata against the configured MCP server URL, allowing a malicious MCP server to steal access tokens intended for a legitimate server. This omission lets a malicious MCP server capture access tokens that are intended for a legitimate server, allowing an attacker to impersonate users and access any downstream services that rely on those tokens. The principal impact is the compromise of user credentials and potentially the data they can access through the protected resources.
Affected Systems
The vulnerability affects the LibreChat application provided by danny‑avila, specifically all installations using a version older than 0.8.5. No additional product or vendor versions are listed as affected.
Risk and Exploitability
The CVSS score of 8 classifies this as a high‑severity flaw. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests it is not currently known to be exploited in the wild. The likely attack vector requires an attacker to host a malicious MCP server that an authenticated user may contact. Consequently, any user who authorizes through that server could have their tokens stolen.
OpenCVE Enrichment