CVE-2026-31943 - Vulnerability Analysis
HighCVSS: 8.5Last Updated: March 27, 2026
LibreChat - Server Side Request Forgery
Overview
LibreChat < 0.8.3 contains a server-side request forgery caused by improper detection of IPv4-mapped IPv6 addresses in isPrivateIP() function, letting authenticated users bypass SSRF protection to access internal network resources.
Severity & Score
Impact
Authenticated attackers can make the server send HTTP requests to internal network resources, potentially exposing sensitive data or services.
Mitigation
Upgrade to version 0.8.3 or later.
Social Media Activity(2 posts)
š CVE-2026-31943 - High (8.5) LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass ... š https://www.thehackerwire.com/vulnerability/CVE-2026-31943/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-31943 - High (8.5) LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass ... š https://www.thehackerwire.com/vulnerability/CVE-2026-31943/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-31943
- Severity
- High
- CVSS Score
- 8.5
- Type
- server_side_request_forgery
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N