CVE-2026-31944
Received Received - Intake
OAuth Token Theft via MCP Callback in LibreChat

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redirect URL is logged in or that the logged-in user matches the initiator. An attacker can send the authorization URL to a victim; when the victim completes the flow, the victim’s OAuth tokens are stored on the attacker’s LibreChat account, enabling account takeover of the victim’s MCP-linked services (e.g. Atlassian, Outlook). This vulnerability is fixed in 0.8.3-rc1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-03-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31944
EUVD
EUVD-2026-12092
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
librechat librechat 0.8.2
librechat librechat 0.8.2
librechat librechat 0.8.2
librechat librechat 0.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-31944 is a security vulnerability in LibreChat's MCP OAuth callback endpoint affecting versions from 0.8.2 to 0.8.2-rc3. The issue occurs because the OAuth callback handler does not verify that the browser making the callback request is logged in or matches the user who started the OAuth flow."}, {'type': 'paragraph', 'content': "An attacker who is an authenticated LibreChat user can initiate an OAuth flow and obtain an authorization URL. The attacker then sends this URL to a victim. When the victim completes the OAuth flow by signing into the identity provider and approving access, LibreChat mistakenly stores the victim's OAuth tokens on the attacker's account."}, {'type': 'paragraph', 'content': "This happens because the callback endpoint relies only on the OAuth state parameter to identify the user who started the flow, without validating the browser session or user identity making the callback request. As a result, the attacker gains access to the victim's linked external services (such as Atlassian or Outlook) through LibreChat."}] [1]


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': "This vulnerability can lead to account takeover of your MCP-linked services if you are a victim. An attacker can trick you into completing an OAuth authorization flow that causes your OAuth tokens to be stored on the attacker's LibreChat account."}, {'type': 'paragraph', 'content': 'With these tokens, the attacker can access your linked external services such as Atlassian, Outlook, and others, potentially reading sensitive data like emails, Jira tickets, and calendars.'}, {'type': 'paragraph', 'content': 'The attacker may also perform write actions within the scope of the OAuth permissions granted, which could lead to unauthorized changes or data manipulation in your linked accounts.'}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves the OAuth callback endpoint at GET /:serverName/oauth/callback in LibreChat versions 0.8.2 to 0.8.2-rc3, which does not verify the browser session or logged-in user. Detection can focus on monitoring or inspecting requests to this endpoint for unauthorized or suspicious OAuth callback activity.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by checking web server logs or application logs for unusual or repeated OAuth callback requests that do not correspond to authenticated sessions.'}, {'type': 'list_item', 'content': 'Use network traffic inspection tools (e.g., tcpdump, Wireshark) to capture HTTP GET requests to the /oauth/callback endpoint and analyze the source IPs and user agents.'}, {'type': 'list_item', 'content': 'On the LibreChat server, examine access logs for the OAuth callback route, for example using grep: grep "/oauth/callback" /path/to/access.log'}, {'type': 'list_item', 'content': 'Check application logs or add logging around the OAuth callback handler to record the user session or lack thereof when the callback is received.'}, {'type': 'list_item', 'content': 'If you have access to the LibreChat server, you can run commands to identify the version installed to confirm if it is vulnerable, for example: librechat --version or check package metadata.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade LibreChat to version 0.8.3-rc1 or later, where this vulnerability is fixed.

Until you can upgrade, consider restricting access to the OAuth callback endpoint or monitoring and blocking suspicious OAuth callback requests.

Educate users to avoid clicking on unsolicited OAuth authorization URLs, especially those sent by unknown or untrusted LibreChat users.

Review and tighten OAuth provider configurations to require explicit user consent where possible, reducing the risk of silent token acceptance.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart