CVE-2026-31942 in LibreChat
Summary
by MITRE • 06/03/2026
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys management endpoint (PUT /api/keys). Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, any authenticated user can inject a userId parameter in the request body to overwrite any other user's API keys (e.g., OpenAI, Anthropic, Azure). This allows an attacker to replace a victim's API key configuration, potentially routing the victim's conversations through attacker-controlled keys or denying service by providing invalid keys. This is patched in version 0.8.3-rc1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability under discussion represents a critical Insecure Direct Object Reference flaw within the LibreChat application ecosystem, specifically impacting versions up to and including 0.7.6. This weakness manifests in the API keys management endpoint at PUT /api/keys where the application fails to properly validate user permissions before processing requests. The root cause stems from the improper implementation of the JavaScript object spread operator, which allows for direct manipulation of user identifiers within the request payload without adequate authorization checks.
The technical exploitation of this vulnerability occurs through a straightforward yet dangerous mechanism where authenticated users can craft malicious requests containing a userId parameter in the request body. When the application processes these requests using the spread operator, it indiscriminately accepts the injected userId value and overwrites the target user's API key configuration. This flaw directly violates fundamental access control principles and enables privilege escalation from a regular authenticated user to unauthorized modification of any other user's sensitive API credentials.
The operational impact of this vulnerability extends beyond simple data theft to encompass potential service disruption and malicious data routing. An attacker could substitute a victim's legitimate API keys with their own compromised credentials, effectively allowing unauthorized access to the victim's AI service integrations. This could result in the attacker gaining access to the victim's conversation history, billing charges, and potentially sensitive information processed through these AI services. Additionally, the attacker could deny service by replacing valid keys with invalid ones, rendering the victim's AI integrations completely non-functional and disrupting their workflow.
This vulnerability aligns with CWE-284, which specifically addresses inadequate access control mechanisms, and represents a classic example of how improper input validation can lead to unauthorized data manipulation. From an ATT&CK framework perspective, this flaw maps to privilege escalation and credential access techniques, enabling adversaries to move laterally within the application's user base and potentially access additional compromised systems through the stolen API keys. The patch implemented in version 0.8.3-rc1 addresses this issue by introducing proper authorization checks that validate the requesting user's permissions against the target user identifier, preventing unauthorized key modifications and ensuring that each user can only modify their own API configurations.