Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata (RFC 9728) matches the configured MCP server URL, allowing a malicious MCP server to steal access tokens intended for a legitimate server. This vulnerability is fixed in 0.8.5.
Published: 2026-06-25
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreChat’s MCP OAuth flow does not validate the resource parameter from the OAuth Protected Resource metadata against the configured MCP server URL, allowing a malicious MCP server to steal access tokens intended for a legitimate server. This omission lets a malicious MCP server capture access tokens that are intended for a legitimate server, allowing an attacker to impersonate users and access any downstream services that rely on those tokens. The principal impact is the compromise of user credentials and potentially the data they can access through the protected resources.

Affected Systems

The vulnerability affects the LibreChat application provided by danny‑avila, specifically all installations using a version older than 0.8.5. No additional product or vendor versions are listed as affected.

Risk and Exploitability

The CVSS score of 8 classifies this as a high‑severity flaw. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests it is not currently known to be exploited in the wild. The likely attack vector requires an attacker to host a malicious MCP server that an authenticated user may contact. Consequently, any user who authorizes through that server could have their tokens stolen.

Generated by OpenCVE AI on June 25, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreChat to version 0.8.5 or later to apply the fix.
  • Restrict the MCP server list in LibreChat configuration to only trusted providers to reduce exposure to malicious servers.
  • Enable and review OAuth access token logs for suspicious activity, ensuring that tokens are not being redirected to unexpected servers.

Generated by OpenCVE AI on June 25, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Danny-avila
Danny-avila libre Chat
Vendors & Products Danny-avila
Danny-avila libre Chat

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata (RFC 9728) matches the configured MCP server URL, allowing a malicious MCP server to steal access tokens intended for a legitimate server. This vulnerability is fixed in 0.8.5.
Title LibreChat: Missing Resource Parameter Validation in MCP OAuth Flow
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}


Subscriptions

Danny-avila Libre Chat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T02:04:54.939Z

Reserved: 2026-06-11T16:57:50.018Z

Link: CVE-2026-54030

cve-icon Vulnrichment

Updated: 2026-06-26T02:04:48.924Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:15:05Z

Weaknesses