Home / Vulnerability Intelligence / CVE-2026-31944

CVE-2026-31944 - Vulnerability Analysis

HighCVSS: 7.6

Last Updated: March 17, 2026

LibreChat - Authentication Bypass

Published: March 13, 2026Updated: March 17, 2026PoC AvailableRemote Exploitable

Overview

LibreChat 0.8.2 to 0.8.2-rc3 contains an authentication bypass caused by lack of verification on OAuth callback endpoint, letting attackers perform account takeover of victim's MCP-linked services, exploit requires victim to complete OAuth flow.

Severity & Score

Severity: High

CVSS Score: 7.6

EPSS Score: 2.8%(Probability of exploitation in next 30 days)

Impact

Attackers can take over victim's linked accounts by storing victim's OAuth tokens on attacker's account.

Mitigation

Update to version 0.8.3-rc1 or later.

References

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vf7j-7mrx-hp7g

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 13, 2026

🟠 CVE-2026-31944 - High (7.6) LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, w... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31944/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-31944
Severity: High
CVSS Score: 7.6
Type: broken_authentication
Status: confirmed
EPSS: 2.8%
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

EPSS Score

2.8%Probability of exploitation in the next 30 days