LibreChat MCP and Access Control Vulnerabilities (CVE-2026-32625, CVE-2026-44653, CVE-2026-31942): Environment Variable Injection, Permission Bypass, and IDOR

nick

LibreChat MCP and Access Control Vulnerabilities (CVE-2026-32625, CVE-2026-44653, CVE-2026-31942): Environment Variable Injection, Permission Bypass, and IDOR

by

Three vulnerabilities have been disclosed in LibreChat, the open-source ChatGPT clone supporting multiple AI providers, tracked as CVE-2026-32625 (CVSS 9.8 Critical), CVE-2026-44653 (CVSS 7.5 High), and CVE-2026-31942 (CVSS 7.5 High). All affect versions up to 0.8.3 and involve the Model Context Protocol (MCP) integration and access control flaws.

What Are the Vulnerabilities?

CVE-2026-32625 — MCP Environment Variable Injection (CVSS 9.8 Critical): The MCP server integration resolves ${VAR} environment variable references in MCP configuration. An attacker who can influence MCP server settings can inject environment variable references that resolve to sensitive server-side values — credentials, API keys, and configuration secrets — leading to information disclosure and potential privilege escalation.

CVE-2026-44653 — MCP Permission Bypass (CVSS 7.5 High): Users with only VIEW access to an MCP server can retrieve the server configuration including credential material, bypassing the intended access control that should restrict configuration visibility to administrators.

CVE-2026-31942 — Insecure Direct Object Reference (CVSS 7.5 High): An IDOR vulnerability in versions up to 0.7.6 allows attackers to access resources belonging to other users by manipulating object references in API requests, bypassing authorisation checks.

Which Versions Are Affected?

  • LibreChat: versions up to and including 0.8.3 (CVE-2026-32625, CVE-2026-44653)
  • LibreChat: versions up to and including 0.7.6 (CVE-2026-31942)

Is It Being Exploited in the Wild?

No active exploitation has been publicly reported. However, the CVSS 9.8 environment variable injection (CVE-2026-32625) is particularly dangerous in deployments where MCP servers are configured to connect to external services — the resolved secrets could include cloud credentials and API keys.

What Is the Fix?

Update LibreChat to the latest version beyond 0.8.3. After updating, rotate any API keys and credentials that were accessible through MCP server configurations.

Recommendations

Update LibreChat immediately. The MCP environment variable injection (CVSS 9.8) can expose server-side secrets. Rotate credentials after patching. Review MCP server configurations for any environment variable references that should be replaced with explicit values.

References

This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!