CVE-2026-31942: CWE-862: Missing Authorization in danny-avila LibreChat
CVE-2026-31942 is a high-severity vulnerability in LibreChat versions prior to 0. 8. 3-rc1. It is an Insecure Direct Object Reference (IDOR) issue in the API keys management endpoint that allows any authenticated user to overwrite other users' API key configurations by injecting a userId parameter. This can lead to attackers rerouting victim conversations through attacker-controlled keys or causing denial of service by setting invalid keys. The vulnerability is patched in version 0. 8. 3-rc1. LibreChat is a cloud-hosted service, and the vendor manages remediation for this service.
AI Analysis
Technical Summary
LibreChat, an enhanced ChatGPT clone supporting multiple AI providers, contains an IDOR vulnerability (CWE-862) in its API keys management endpoint (PUT /api/keys) in versions up to 0.7.6. The flaw arises from the use of the JavaScript object spread operator after setting the authenticated user's ID, allowing an authenticated user to inject a userId parameter in the request body. This enables overwriting of any other user's API key configurations, potentially redirecting victim conversations through attacker-controlled keys or causing denial of service by invalidating keys. The vulnerability has a CVSS 3.1 score of 7.1 (high severity) with network attack vector, low attack complexity, requiring privileges and no user interaction. It is patched in version 0.8.3-rc1. As LibreChat is a cloud service, the vendor manages remediation server-side.
Potential Impact
An attacker with authenticated access can manipulate other users' API key configurations, which may allow them to intercept or alter AI conversation data by routing it through attacker-controlled keys or disrupt service by setting invalid keys. There is no direct confidentiality impact reported, but integrity and availability impacts are high. No known exploits in the wild have been reported.
Mitigation Recommendations
A patch is available in LibreChat version 0.8.3-rc1 that fixes this vulnerability. Since LibreChat is a cloud-hosted service, the vendor manages remediation server-side. Users should ensure they are using version 0.8.3-rc1 or later. Patch status is confirmed by the vendor advisory. No additional mitigation actions are specified.
CVE-2026-31942: CWE-862: Missing Authorization in danny-avila LibreChat
Description
CVE-2026-31942 is a high-severity vulnerability in LibreChat versions prior to 0. 8. 3-rc1. It is an Insecure Direct Object Reference (IDOR) issue in the API keys management endpoint that allows any authenticated user to overwrite other users' API key configurations by injecting a userId parameter. This can lead to attackers rerouting victim conversations through attacker-controlled keys or causing denial of service by setting invalid keys. The vulnerability is patched in version 0. 8. 3-rc1. LibreChat is a cloud-hosted service, and the vendor manages remediation for this service.
CVSS v3.1
Score 7.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LibreChat, an enhanced ChatGPT clone supporting multiple AI providers, contains an IDOR vulnerability (CWE-862) in its API keys management endpoint (PUT /api/keys) in versions up to 0.7.6. The flaw arises from the use of the JavaScript object spread operator after setting the authenticated user's ID, allowing an authenticated user to inject a userId parameter in the request body. This enables overwriting of any other user's API key configurations, potentially redirecting victim conversations through attacker-controlled keys or causing denial of service by invalidating keys. The vulnerability has a CVSS 3.1 score of 7.1 (high severity) with network attack vector, low attack complexity, requiring privileges and no user interaction. It is patched in version 0.8.3-rc1. As LibreChat is a cloud service, the vendor manages remediation server-side.
Potential Impact
An attacker with authenticated access can manipulate other users' API key configurations, which may allow them to intercept or alter AI conversation data by routing it through attacker-controlled keys or disrupt service by setting invalid keys. There is no direct confidentiality impact reported, but integrity and availability impacts are high. No known exploits in the wild have been reported.
Mitigation Recommendations
A patch is available in LibreChat version 0.8.3-rc1 that fixes this vulnerability. Since LibreChat is a cloud-hosted service, the vendor manages remediation server-side. Users should ensure they are using version 0.8.3-rc1 or later. Patch status is confirmed by the vendor advisory. No additional mitigation actions are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-10T15:10:10.656Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
- Gcve Source
- db.gcve.eu
Threat ID: 6a1f872ae29bf47b5044be8a
Added to database: 6/3/2026, 1:45:14 AM
Last enriched: 6/3/2026, 1:48:29 AM
Last updated: 6/3/2026, 5:05:58 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.