CVE-2026-54030: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implem
Summary
LibreChat, a ChatGPT-like application that works with multiple AI providers, has a vulnerability in versions before 0.8.5 where it fails to validate the resource parameter from OAuth (a system for securely sharing access between applications) metadata, allowing a malicious server to steal access tokens meant for legitimate servers. This is an origin validation error (CWE-346, where the system fails to check that data comes from the expected source).
Solution / Mitigation
Update LibreChat to version 0.8.5 or later, which fixes this vulnerability.
Vulnerability Details
8(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
network
high
none
required
June 25, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54030
First tracked: June 25, 2026 at 02:11 PM
Classified by LLM (prompt v3) · confidence: 85%