CVE-2026-31944 is a critical authentication bypass vulnerability categorized under CWE-306 (Missing Authentication for Critical Function) affecting the LibreChat application, a ChatGPT clone with extended features. The vulnerability resides in the MCP (Model Context Protocol) OAuth callback endpoint in versions from 0.8.2 to 0.8.2-rc3. During the OAuth authorization flow, when a user is redirected back from the identity provider, the endpoint accepts and stores the OAuth tokens without verifying that the browser session completing the redirect is authenticated or corresponds to the user who initiated the OAuth flow. This lack of verification allows an attacker to send a malicious authorization URL to a victim. When the victim completes the OAuth flow, their OAuth tokens are erroneously stored in the attacker’s LibreChat account. Consequently, the attacker gains unauthorized access to the victim’s linked services that rely on MCP OAuth tokens, such as Atlassian and Outlook, effectively enabling account takeover. The vulnerability requires user interaction (the victim must complete the OAuth flow) and privileges are low for the attacker (no prior authentication needed). The issue impacts confidentiality severely, as attackers can access sensitive accounts, with limited impact on integrity and no impact on availability. The vulnerability was publicly disclosed on March 13, 2026, with a CVSS 3.1 score of 7.6, indicating high severity. The issue was resolved in LibreChat version 0.8.3-rc1 by adding proper authentication checks on the OAuth callback endpoint to ensure the session user matches the OAuth flow initiator.

The primary impact of CVE-2026-31944 is unauthorized account takeover of users’ MCP-linked services, including enterprise-critical platforms like Atlassian and Outlook. This can lead to exposure of sensitive corporate data, unauthorized email access, and potential lateral movement within affected organizations. Since LibreChat is a ChatGPT clone with additional features, organizations using it for AI-assisted workflows that integrate with OAuth-based services are at risk. Attackers can leverage social engineering to trick victims into completing the OAuth flow, making exploitation feasible in targeted phishing campaigns. The compromise of OAuth tokens undermines confidentiality and can facilitate further attacks on corporate infrastructure. The vulnerability does not affect system availability but can severely damage organizational trust and data security. Given the integration with widely used services, the impact spans multiple sectors including technology, finance, government, and education. Organizations relying on LibreChat versions prior to 0.8.3-rc1 should consider their exposure high, especially if OAuth integrations are enabled.

Organizations should immediately upgrade LibreChat installations to version 0.8.3-rc1 or later, where the vulnerability is fixed by enforcing authentication and user session verification on the MCP OAuth callback endpoint. Until upgrades are applied, administrators should disable OAuth integrations or restrict access to the OAuth callback endpoint to trusted networks. Implement monitoring for unusual OAuth token storage or authorization flows within LibreChat logs to detect potential exploitation attempts. Educate users about phishing risks involving OAuth authorization URLs and encourage verification of unexpected authorization requests. Employ multi-factor authentication (MFA) on linked services like Atlassian and Outlook to reduce the impact of token compromise. Additionally, review and revoke any suspicious OAuth tokens issued during the vulnerable period. Developers should audit OAuth flows in their applications to ensure strict session and user identity validation on all callback endpoints to prevent similar vulnerabilities.