7.6

CVE-2026-31944

Exploit

LibreChat MCP OAuth callback does not validate browser session — allows token theft via redirect link

LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redirect URL is logged in or that the logged-in user matches the initiator. An attacker can send the authorization URL to a victim; when the victim completes the flow, the victim’s OAuth tokens are stored on the attacker’s LibreChat account, enabling account takeover of the victim’s MCP-linked services (e.g. Atlassian, Outlook). This vulnerability is fixed in 0.8.3-rc1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LibrechatLibrechat Version0.8.2 Update-
LibrechatLibrechat Version0.8.2 Updaterc1
LibrechatLibrechat Version0.8.2 Updaterc2
LibrechatLibrechat Version0.8.2 Updaterc3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.153
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.6 2.3 4.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vf7j-7mrx-hp7g
Vendor Advisory
Exploit