{"data":{"id":"808b65d9-26ea-4255-bebc-20583f31d9d8","title":"CVE-2026-54040: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/b","summary":"LibreChat, a ChatGPT-like application supporting multiple AI providers, has a vulnerability in versions before 0.8.4-rc1 where the 2FA backup code regeneration endpoint doesn't verify the user's identity. An attacker with a stolen session token (a credential that keeps you logged in) can regenerate a victim's two-factor authentication backup codes and use them to bypass login security or disable 2FA entirely.","solution":"Update LibreChat to version 0.8.4-rc1 or later, which fixes this vulnerability.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-54040","publishedAt":"2026-06-25T17:16:41.123Z","cveId":"CVE-2026-54040","cweIds":["CWE-306"],"cvssScore":"5.9","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LibreChat"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N","attackVector":"network","attackComplexity":"high","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-25T17:16:41.123Z","capecIds":["CAPEC-115"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}