CVE-2026-31945 is a Server-Side Request Forgery (SSRF) vulnerability identified in the LibreChat project, a ChatGPT clone with extended features. The vulnerability exists in versions 0.8.2-rc2 through 0.8.2 and is triggered when using agent actions or the MCP feature. Although a prior SSRF vulnerability was patched by adding hostname validation, this fix was incomplete because it did not verify whether the DNS resolution of the hostname resulted in a private IP address. Consequently, attackers can craft requests that resolve to internal IP addresses, bypassing hostname checks and enabling unauthorized access to internal network resources. These resources may include internal Retrieval-Augmented Generation (RAG) APIs or cloud instance metadata endpoints, which often contain sensitive configuration or credential information. The vulnerability has a CVSS v3.1 base score of 7.7, reflecting its high severity, with an attack vector of network (remote), low attack complexity, requiring privileges but no user interaction, and impacting confidentiality with a scope change. The vulnerability is exploitable remotely by authenticated attackers with low privileges, and exploitation can lead to significant information disclosure. The issue was addressed in LibreChat version 0.8.3-rc1 by improving validation to prevent DNS resolution to private IP ranges. No known exploits are reported in the wild as of the publication date. This vulnerability highlights the importance of comprehensive SSRF mitigations that include IP address validation after DNS resolution, not just hostname checks.

The impact of CVE-2026-31945 is significant for organizations deploying vulnerable versions of LibreChat, especially those exposing the service to untrusted networks or integrating it with sensitive internal APIs. Successful exploitation can lead to unauthorized access to internal network resources, including cloud metadata services that may leak credentials or configuration data, potentially enabling further lateral movement or privilege escalation. Confidentiality is primarily affected, as attackers can retrieve sensitive information from internal endpoints. The integrity and availability of the system are not directly impacted by this vulnerability. However, the breach of internal data can lead to broader security incidents. Organizations relying on LibreChat for chatbot or AI services in production environments may face data leakage risks and compliance issues. The vulnerability's ease of exploitation and the scope of affected systems make it a critical concern for enterprises using this software, particularly in cloud or hybrid environments where metadata endpoints are accessible internally.

To mitigate CVE-2026-31945, organizations should immediately upgrade LibreChat to version 0.8.3-rc1 or later, where the vulnerability is patched. Beyond patching, it is crucial to implement network-level controls such as firewall rules or network segmentation to restrict access to internal services and cloud metadata endpoints from the LibreChat server. Employ strict egress filtering to prevent SSRF attempts from reaching sensitive internal IP ranges. Additionally, configure LibreChat and any integrated services to use allowlists for external requests rather than relying solely on hostname validation. Monitoring and logging outbound requests from LibreChat can help detect anomalous SSRF activity. If upgrading is not immediately feasible, consider disabling features like agent actions or MCP that trigger the vulnerability. Finally, conduct security assessments and penetration testing focused on SSRF vectors to ensure no residual exposure remains.