Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can silently replace a victim's backup codes and use them to bypass 2FA login or disable 2FA entirely. This vulnerability is fixed in 0.8.4-rc1.
Published: 2026-06-25
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreChat versions before 0.8.4-rc1 contain a flaw that allows a user with a valid session token to regenerate all two‑factor authentication backup codes without providing any one‑time password or existing backup code. This flaw permits the replacement of a victim’s backup codes, enabling an attacker to log in without providing the required challenge code or to disable two‑factor authentication entirely. The weakness is reflected by CWE‑306, which describes missing authentication of an operation that requires privileged verification.

Affected Systems

The vulnerability affects the LibreChat application provided by the vendor Danny‑Avila. Authenticated users running any version older than 0.8.4-rc1 are susceptible; all newer releases implement the required OTP or backup‑code check prior to regeneration.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity vulnerability. Attackers need only a stolen or otherwise legitimate session cookie, which could arise from phishing, credential stuffing or session hijacking. Because no additional verification is required, the exploit likelihood is high for compromised accounts, and it results in complete bypass of an important security boundary. The EPSS score is not available, but the lack of a KEV listing suggests that known exploits have not yet been observed, though the attack surface remains significant.

Generated by OpenCVE AI on June 25, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreChat to version 0.8.4‑rc1 or later, which enforces TOTP or backup‑code verification before regeneration of backup codes.
  • Reset existing 2FA backup codes for all users affected by earlier versions to invalidate any codes that may have been replaced by an attacker.
  • Invalidate any compromised session tokens and require users to re‑authenticate with a valid TOTP or backup code to ensure the new backup codes are properly generated.

Generated by OpenCVE AI on June 25, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can silently replace a victim's backup codes and use them to bypass 2FA login or disable 2FA entirely. This vulnerability is fixed in 0.8.4-rc1.
Title LibreChat: 2FA Backup Code Regeneration Without OTP Verification Allows 2FA Bypass
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:13:32.543Z

Reserved: 2026-06-11T16:57:50.020Z

Link: CVE-2026-54040

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T18:00:07Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function