CVE-2026-31943: LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth
Summary
LibreChat, a ChatGPT alternative with extra features, has a security flaw in versions before 0.8.3 where a function called `isPrivateIP()` fails to recognize IPv4-mapped IPv6 addresses (IPv6 addresses that contain IPv4 address information) in a certain format, allowing logged-in users to bypass SSRF protection (SSRF is server-side request forgery, where an attacker tricks a server into making requests to internal networks it shouldn't access). This could let attackers access sensitive internal resources like cloud metadata services and private networks.
Solution / Mitigation
Update LibreChat to version 0.8.3, which fixes the issue.
Vulnerability Details
8.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
network
low
low
none
March 27, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31943
First tracked: March 28, 2026 at 02:07 AM
Classified by LLM (prompt v3) · confidence: 85%