CVE-2026-54040 in LibreChat
Summary
by MITRE • 06/25/2026
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can silently replace a victim's backup codes and use them to bypass 2FA login or disable 2FA entirely. This vulnerability is fixed in 0.8.4-rc1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability exists within LibreChat, an open source chat interface that mimics ChatGPT functionality and supports multiple AI providers. The issue resides in the authentication system's two-factor authentication implementation specifically at the POST /api/auth/2fa/backup/regenerate endpoint. The flaw represents a critical authorization bypass where the system fails to validate either the Time-based One-Time Password token or any existing backup code verification before allowing regeneration of all 2FA backup codes. This represents a fundamental breakdown in the principle of least privilege and proper authentication flow enforcement.
The technical implementation flaw stems from improper access control validation within the two-factor authentication workflow. When an attacker obtains a valid session token through session hijacking or other means, they can exploit this endpoint to silently regenerate backup codes without providing any proof of ownership or legitimate authorization. The vulnerability allows for complete bypass of the multi-factor authentication mechanism that should require either current TOTP token verification or existing backup code validation before permitting new code generation. This creates a scenario where an attacker can completely subvert the 2FA protection scheme by simply replacing backup codes and then using those codes to gain access to the victim's account.
The operational impact of this vulnerability is severe and multifaceted within the context of authentication security. An attacker with a stolen session token can not only maintain persistent access but can also systematically disable or bypass 2FA entirely by replacing backup codes with their own. This effectively neutralizes the layered security provided by two-factor authentication, allowing unauthorized access to user accounts while simultaneously preventing legitimate users from accessing their accounts through normal means. The vulnerability creates a persistent backdoor that can be exploited repeatedly without detection, making it particularly dangerous in environments where account compromise could lead to data breaches or further lateral movement.
This vulnerability aligns with CWE-305 Authentication Bypass Through User Impersonation and maps to ATT&CK technique T1078 Valid Accounts for maintaining access. The flaw also relates to CWE-287 Improper Certificate Validation and CWE-613 Insufficient Session Expiration, as it demonstrates inadequate session validation mechanisms that should prevent unauthorized code regeneration. Organizations using LibreChat versions prior to 0.8.4-rc1 face significant risk of account takeovers and unauthorized access attempts. The fix implemented in version 0.8.4-rc1 addresses this by enforcing proper validation checks before allowing backup code regeneration, requiring either current TOTP token verification or existing backup code authentication. This represents a critical security patch that restores the intended authentication flow and prevents the silent replacement of backup codes that would otherwise allow complete bypass of multi-factor authentication protections.
The vulnerability demonstrates a classic example of insufficient input validation and authorization checking in web applications, where endpoint access controls are not properly enforced. Modern secure application design principles require that all privileged operations, particularly those involving authentication mechanisms, must verify the user's legitimate authorization before executing any modification operations. The fix ensures that the regeneration process requires proper authentication context, making it impossible for unauthorized parties to silently replace backup codes and maintain access to victim accounts through bypass mechanisms. This represents a fundamental security improvement that addresses the core issue of privilege escalation through improper authentication flow enforcement.