CVE-2026-44653
Information Disclosure in LibreChat MCP Server
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| librechat | librechat | to 0.8.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users with only VIEW access to retrieve decrypted admin-managed secrets, including plaintext API keys and OAuth client secrets. Such unauthorized exposure of sensitive credentials can lead to data breaches or unauthorized access to protected systems.
Exposure of sensitive credentials may violate common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper access controls to prevent unauthorized disclosure.
Therefore, this vulnerability could negatively impact compliance by enabling unauthorized access to sensitive information, potentially leading to regulatory violations and associated penalties.
Can you explain this vulnerability to me?
This vulnerability affects LibreChat versions up to and including 0.8.3. Users who have only VIEW access to an MCP server can retrieve decrypted admin-managed secrets by using specific API endpoints (`GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`). The responses include plaintext sensitive information such as `apiKey.key` and `oauth.client_secret`. This means that viewers of a shared MCP server can exfiltrate the underlying provider credentials without needing higher privileges.
The issue is patched in version 0.8.4, and recommended remediations include not returning decrypted secrets to non-owners, redacting sensitive fields from API responses, returning only boolean indicators for secret presence, or using placeholders instead of plaintext secrets.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive credentials such as API keys and OAuth client secrets. An attacker with VIEW access can exfiltrate these secrets, potentially allowing them to impersonate the server or access connected AI providers, leading to unauthorized actions or data exposure.
Since the vulnerability allows access to confidential credentials without elevated privileges, it increases the risk of credential theft and misuse, which can compromise the security and integrity of the affected systems.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading LibreChat to version 0.8.4 or later, which contains a patch for this vulnerability.
- Never return decrypted admin-managed secrets to non-owners.
- Redact apiKey.key and oauth.client_secret from all API responses.
- Consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern.
- If owners need to edit configs without re-entering secrets, preserve secrets server-side and return placeholders instead of plaintext.