{"data":{"id":"c0cd1955-cdf9-4758-b91f-1a045ec15e0d","title":"CVE-2026-54036: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/en","summary":"LibreChat, a ChatGPT-like application supporting multiple AI providers, has a security flaw in versions before 0.8.4-rc1 where an attacker with a valid session token (a code that proves you're logged in) can disable a user's two-factor authentication (2FA, an extra security layer requiring a second verification step) without permission. The attacker can overwrite the TOTP secret (a code used to generate login verification codes) and backup codes, then disable 2FA entirely, locking the real owner out of their account.","solution":"This vulnerability is fixed in 0.8.4-rc1.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-54036","publishedAt":"2026-06-25T16:16:39.217Z","cveId":"CVE-2026-54036","cweIds":["CWE-306"],"cvssScore":"5.3","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LibreChat"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","attackVector":"network","attackComplexity":"high","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-25T16:16:39.217Z","capecIds":["CAPEC-115"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}