CVE-2026-31945: LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side
Summary
LibreChat (a ChatGPT alternative with extra features) versions 0.8.2-rc2 through 0.8.2 have a vulnerability that allows attackers to access internal systems through SSRF (server-side request forgery, where an attacker tricks a server into making requests to resources it shouldn't access). Even though a previous SSRF fix was applied, it only checked domain names and didn't verify whether those names actually point to private IP addresses (internal network addresses), leaving the system exposed.
Solution / Mitigation
Update to version 0.8.3-rc1, which contains a patch for this vulnerability.
Vulnerability Details
7.7(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
network
low
low
none
March 27, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31945
First tracked: March 28, 2026 at 02:07 AM
Classified by LLM (prompt v3) · confidence: 92%