{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31951", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.657Z", "datePublished": "2026-03-27T19:29:25.892Z", "dateUpdated": "2026-03-31T13:46:25.297Z"}, "containers": {"cna": {"title": "LibreChat's MCP Server Header Injection Enables OAuth Token Theft", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954"}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"version": ">= v0.8.2-rc1, <= v0.8.3-rc1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:29:25.892Z"}, "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue."}], "source": {"advisory": "GHSA-pmw7-gqwj-f954", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:45:16.896153Z", "id": "CVE-2026-31951", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:46:25.297Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31951", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:45:16.896153Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:46:22.158Z"}}], "cna": {"title": "LibreChat's MCP Server Header Injection Enables OAuth Token Theft", "source": {"advisory": "GHSA-pmw7-gqwj-f954", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"status": "affected", "version": ">= v0.8.2-rc1, <= v0.8.3-rc1"}]}], "references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954", "name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:29:25.892Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31951", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:46:25.297Z", "dateReserved": "2026-03-10T15:10:10.657Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T19:29:25.892Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B0F03AD-B51B-4501-B292-3133DBD964A8", "versionEndExcluding": "0.8.3", "versionStartIncluding": "0.8.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:librechat:librechat:0.8.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "482D0FE3-2AB3-47B6-982E-564A5B824464", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue."}], "id": "CVE-2026-31951", "lastModified": "2026-03-30T20:29:45.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T20:16:30.397", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.8.2-rc1,0.8.3-rc1]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "LibreChat", "source": "cna", "vendor": "danny-avila"}, "product": "libre_chat", "vendor": "danny-avila"}], "analysis": {"en": {"generated_at": "2026-03-31T05:43:15.920047+00:00", "value": {"mitigation_remediation": ["Update LibreChat to version 0.8.3\u2011rc2 or any newer release that applies the fix", "If updating immediately is not possible, restrict use of user\u2011created MCP servers or remove known malicious servers from the configuration", "Monitor OAuth token usage logs for unexpected redirection or transmission to external hosts", "Check the LibreChat project repository or vendor announcements for additional security patches or updates"], "summary": {"action": "Patch", "impact": "Token theft via header injection"}, "threat_synthesis": {"affected_systems": "The affected product is LibreChat, a ChatGPT clone developed by danny\u2011avila. Vulnerable releases range from 0.8.2\u2011rc1 to 0.8.3\u2011rc1 inclusive. The issue was fixed in 0.8.3\u2011rc2 and later releases, so administrators should upgrade to at least that version to eliminate the risk.", "description_and_impact": "LibreChat versions 0.8.2-rc1 through 0.8.3-rc1 allow user\u2011created MCP servers to inject arbitrary HTTP headers that are processed on the server side with credential placeholder substitution. An attacker can embed the placeholder {{LIBRECHAT_OPENID_ACCESS_TOKEN}} into a header so that any user who invokes a tool on that MCP server has their OAuth token automatically captured and sent to the attacker. The primary impact is the exfiltration of user authentication tokens, which can be used to impersonate the user or gain unauthorized access to services.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity, but the EPSS score is below 1\u202f%, showing a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to host a malicious MCP server and for a victim to execute a tool that contacts that server, so attack feasibility is contingent on user interaction with the compromised server. Given these conditions, the overall risk is moderate but exploitable in environments where user\u2011created MCP servers are routinely used."}}}}, "created": "2026-03-27T20:27:32.300415+00:00", "updated": "2026-03-31T20:00:49.342422+00:00", "vendors": ["danny-avila", "danny-avila$PRODUCT$libre_chat"]}