Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31944 is a security vulnerability in LibreChat's MCP OAuth callback endpoint affecting versions from 0.8.2 to 0.8.2-rc3. The issue occurs because the OAuth callback handler does not verify that the browser making the callback request is logged in or matches the user who started the OAuth flow."}, {'type': 'paragraph', 'content': "An attacker who is an authenticated LibreChat user can initiate an OAuth flow and obtain an authorization URL. The attacker then sends this URL to a victim. When the victim completes the OAuth flow by signing into the identity provider and approving access, LibreChat mistakenly stores the victim's OAuth tokens on the attacker's account."}, {'type': 'paragraph', 'content': "This happens because the callback endpoint relies only on the OAuth state parameter to identify the user who started the flow, without validating the browser session or user identity making the callback request. As a result, the attacker gains access to the victim's linked external services (such as Atlassian or Outlook) through LibreChat."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to account takeover of your MCP-linked services if you are a victim. An attacker can trick you into completing an OAuth authorization flow that causes your OAuth tokens to be stored on the attacker's LibreChat account."}, {'type': 'paragraph', 'content': 'With these tokens, the attacker can access your linked external services such as Atlassian, Outlook, and others, potentially reading sensitive data like emails, Jira tickets, and calendars.'}, {'type': 'paragraph', 'content': 'The attacker may also perform write actions within the scope of the OAuth permissions granted, which could lead to unauthorized changes or data manipulation in your linked accounts.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the OAuth callback endpoint at GET /:serverName/oauth/callback in LibreChat versions 0.8.2 to 0.8.2-rc3, which does not verify the browser session or logged-in user. Detection can focus on monitoring or inspecting requests to this endpoint for unauthorized or suspicious OAuth callback activity.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by checking web server logs or application logs for unusual or repeated OAuth callback requests that do not correspond to authenticated sessions.'}, {'type': 'list_item', 'content': 'Use network traffic inspection tools (e.g., tcpdump, Wireshark) to capture HTTP GET requests to the /oauth/callback endpoint and analyze the source IPs and user agents.'}, {'type': 'list_item', 'content': 'On the LibreChat server, examine access logs for the OAuth callback route, for example using grep: grep "/oauth/callback" /path/to/access.log'}, {'type': 'list_item', 'content': 'Check application logs or add logging around the OAuth callback handler to record the user session or lack thereof when the callback is received.'}, {'type': 'list_item', 'content': 'If you have access to the LibreChat server, you can run commands to identify the version installed to confirm if it is vulnerable, for example: librechat --version or check package metadata.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade LibreChat to version 0.8.3-rc1 or later, where this vulnerability is fixed.

Until you can upgrade, consider restricting access to the OAuth callback endpoint or monitoring and blocking suspicious OAuth callback requests.

Educate users to avoid clicking on unsolicited OAuth authorization URLs, especially those sent by unknown or untrusted LibreChat users.

Review and tighten OAuth provider configurations to require explicit user consent where possible, reducing the risk of silent token acceptance.

Useful 0 Not Useful 0