CVE-2026-54040: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/b
Summary
LibreChat, a ChatGPT-like application supporting multiple AI providers, has a vulnerability in versions before 0.8.4-rc1 where the 2FA backup code regeneration endpoint doesn't verify the user's identity. An attacker with a stolen session token (a credential that keeps you logged in) can regenerate a victim's two-factor authentication backup codes and use them to bypass login security or disable 2FA entirely.
Solution / Mitigation
Update LibreChat to version 0.8.4-rc1 or later, which fixes this vulnerability.
Vulnerability Details
5.9(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
network
high
low
none
June 25, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54040
First tracked: June 25, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 85%