{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31945", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.656Z", "datePublished": "2026-03-27T19:23:53.395Z", "dateUpdated": "2026-03-30T19:00:53.475Z"}, "containers": {"cna": {"title": "LibreChat Server-Side Request Forgery using DNS resolution", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2"}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"version": ">= 0.8.2-rc2, < 0.8.3-rc1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:24:30.707Z"}, "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch."}], "source": {"advisory": "GHSA-f92m-jpv7-55p2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T19:00:49.640233Z", "id": "CVE-2026-31945", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:00:53.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31945", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T19:00:49.640233Z"}}}], "references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:00:41.187Z"}}], "cna": {"title": "LibreChat Server-Side Request Forgery using DNS resolution", "source": {"advisory": "GHSA-f92m-jpv7-55p2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"status": "affected", "version": ">= 0.8.2-rc2, < 0.8.3-rc1"}]}], "references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2", "name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:24:30.707Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31945", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:00:53.475Z", "dateReserved": "2026-03-10T15:10:10.656Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T19:23:53.395Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:librechat:librechat:0.8.2:-:*:*:*:*:*:*", "matchCriteriaId": "8D828ED6-3F44-4DD1-B29F-62D8977AF33A", "vulnerable": true}, {"criteria": "cpe:2.3:a:librechat:librechat:0.8.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "21865C8B-C628-4275-A552-89F64EF22918", "vulnerable": true}, {"criteria": "cpe:2.3:a:librechat:librechat:0.8.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "47A1B487-1A7B-4E06-8503-56E7D349FAA2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch."}], "id": "CVE-2026-31945", "lastModified": "2026-03-30T20:35:03.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:30.060", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.8.2-rc2,0.8.3-rc1)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "LibreChat", "source": "cna", "vendor": "danny-avila"}, "product": "libre_chat", "vendor": "danny-avila"}], "analysis": {"en": {"generated_at": "2026-03-31T05:43:36.858870+00:00", "value": {"mitigation_remediation": ["Upgrade the LibreChat installation to version\u202f0.8.3\u2011rc1 or later to apply the official fix.", "If an upgrade cannot be performed immediately, restrict outbound traffic from the LibreChat server so that DNS queries and HTTP requests are only allowed to trusted public endpoints.", "Configure firewall rules to block connections from the LibreChat process to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).", "Regularly audit server logs for unexpected outbound requests to internal addresses or cloud metadata services."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery (SSRF)"}, "threat_synthesis": {"affected_systems": "The affected product is LibreChat by danny\u2011avila, specifically versions 0.8.2\u2011rc2 up to and including 0.8.2. The reported fix is incorporated in version 0.8.3\u2011rc1, which introduces proper DNS resolution checks and private\u2011IP filtering.", "description_and_impact": "LibreChat versions 0.8.2\u2011rc2 through 0.8.2 suffer a server\u2011side request forgery flaw due to inadequate hostname validation. The vulnerability allows an attacker to craft requests that resolve DNS names to private IP addresses, enabling access to internal RAG APIs, cloud instance metadata, or other protected network services. This yields unauthorized data disclosure and potential lateral movement inside the network.", "risk_and_exploitability": "With a CVSS score of 7.7, the flaw is considered high severity, yet the EPSS score is below 1\u202f% and the vulnerability is not listed in the KEV catalog, indicating a low likelihood of widespread exploitation in the near term. The attacker\u2019s payload would likely be delivered through the agent actions or MCP interface, far from the industry\u2011standard network perimeter. If exploited, the attacker could read or modify internal resources and potentially pivot to other services, but the impact is limited to the system the LibreChat instance runs on with sufficient outbound access."}}}}, "created": "2026-03-27T20:27:34.317621+00:00", "updated": "2026-03-31T20:00:51.343537+00:00", "vendors": ["danny-avila", "danny-avila$PRODUCT$libre_chat"]}