{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31951", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.657Z", "datePublished": "2026-03-27T19:29:25.892Z", "dateUpdated": "2026-03-27T19:29:25.892Z"}, "containers": {"cna": {"title": "LibreChat's MCP Server Header Injection Enables OAuth Token Theft", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954"}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"version": ">= v0.8.2-rc1, <= v0.8.3-rc1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:29:25.892Z"}, "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue."}], "source": {"advisory": "GHSA-pmw7-gqwj-f954", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue."}], "id": "CVE-2026-31951", "lastModified": "2026-03-27T20:16:30.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:30.397", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T20:21:22.130280+00:00", "value": {"mitigation_remediation": ["Apply the update to LibreChat v0.8.3\u2011rc2 or later.", "If an update is not feasible immediately, disable or block the ability for users to configure custom MCP servers that can inject headers.", "Monitor OAuth token usage for unusual activity and invalidate compromised tokens promptly."], "summary": {"action": "Patch Now", "impact": "OAuth token exfiltration (Sensitive Information Disclosure)."}, "threat_synthesis": {"affected_systems": "This flaw affects LibreChat maintained by danny\u2011avila, specifically versions 0.8.2\u2011rc1 through 0.8.3\u2011rc1. Version 0.8.3\u2011rc2 contains a fix that removes the vulnerable header injection behaviour. No other versions or vendors are known to be impacted.", "description_and_impact": "LibreChat versions 0.8.2\u2011rc1 to 0.8.3\u2011rc1 allow user\u2011created MCP servers to inject arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can craft a malicious MCP server with a header containing the placeholder {{LIBRECHAT_OPENID_ACCESS_TOKEN}}, which is replaced with the victim\u2019s OAuth token when a client calls a tool on that server. The stolen token can be used to impersonate the user\u2019s authenticated session, granting the attacker full account access and the ability to impersonate the user for any action the user is authorized to perform.", "risk_and_exploitability": "The CVSS score is 6.8, indicating a moderate severity vulnerability. No EPSS data is available, and the issue is not included in the CISA KEV catalog. The attack requires the victim to engage with a crafted MCP server that supplies the malicious header; the victim\u2019s client will replace the placeholder and forward the token to the attacker. Once exfiltrated, the attacker can readily abuse the token to access protected resources. Because the exploit path is relatively simple and does not require additional conditions, the risk is significant for environments where users interact with untrusted MCP servers."}}}}, "created": "2026-03-27T20:27:32.300415+00:00", "updated": "2026-03-27T20:27:32.300439+00:00", "vendors": []}