CVE-2026-31944 in LibreChat
Summary
by MITRE • 03/13/2026
LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redirect URL is logged in or that the logged-in user matches the initiator. An attacker can send the authorization URL to a victim; when the victim completes the flow, the victim’s OAuth tokens are stored on the attacker’s LibreChat account, enabling account takeover of the victim’s MCP-linked services (e.g. Atlassian, Outlook). This vulnerability is fixed in 0.8.3-rc1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-31944 affects LibreChat version 0.8.2 through 0.8.2-rc3, representing a critical authentication bypass flaw within the Model Context Protocol OAuth implementation. This issue stems from inadequate session validation during the OAuth callback process, where the system fails to verify that the browser requesting the redirect URL is authenticated and that the authenticated user matches the original OAuth flow initiator. The flaw exists in the MCP (Model Context Protocol) OAuth callback endpoint which accepts redirects from identity providers without performing proper user context verification.
The technical implementation of this vulnerability allows for a sophisticated social engineering attack vector where an attacker can craft and send the OAuth authorization URL to a victim user. When the victim clicks the link and completes the authentication flow, the system blindly stores the OAuth tokens associated with the victim's identity provider credentials on the attacker's LibreChat account. This occurs because the application lacks proper session validation mechanisms to ensure that the redirect URL is being accessed by the same user who initiated the OAuth flow. The vulnerability is categorized under CWE-384 as "Session Fixation" and aligns with ATT&CK technique T1566.001 for "Phishing: Spearphishing Attachment" and T1078.004 for "Valid Accounts: Cloud Accounts" since it enables unauthorized access to victim accounts through token hijacking.
The operational impact of this vulnerability is severe and far-reaching, as it enables complete account takeover of victims who are linked to MCP services such as Atlassian and Outlook. Once an attacker successfully hijacks these OAuth tokens, they gain unauthorized access to the victim's cloud services, potentially leading to data exfiltration, privilege escalation, and persistent access to sensitive corporate or personal information. The attack requires minimal technical expertise from the attacker and relies primarily on social engineering to convince victims to click malicious links, making it particularly dangerous in enterprise environments where users may be targeted through spearphishing campaigns. The vulnerability essentially transforms any user interaction with the authorization URL into a potential compromise of their linked services.
Mitigation strategies for this vulnerability should focus on implementing robust session validation mechanisms within the OAuth callback endpoint. The system must verify that the browser accessing the redirect URL is authenticated and that the authenticated user context matches the original OAuth flow initiator. This can be achieved through proper session management, including validating CSRF tokens, implementing user context checks, and ensuring that OAuth tokens are only stored when the requesting user is properly authenticated. Organizations should immediately upgrade to LibreChat version 0.8.3-rc1 or later where this vulnerability has been patched. Additionally, administrators should monitor for unauthorized OAuth token storage patterns and implement network-level controls to detect suspicious OAuth redirect activities. The fix addresses the root cause by enforcing proper authentication context validation before storing OAuth tokens, thereby preventing unauthorized token association with different user accounts. This remediation aligns with security best practices for OAuth implementation and helps prevent similar vulnerabilities in future development cycles.