CVE-2026-31950 is a medium-severity improper access control vulnerability (CWE-284) affecting the LibreChat open-source ChatGPT clone developed by danny-avila. Specifically, in versions 0.8.2-rc2 through 0.8.2-rc3, the Server-Sent Events (SSE) streaming endpoint located at /api/agents/chat/stream/:streamId does not properly verify that the requesting user owns the stream they are attempting to subscribe to. This flaw allows any authenticated user with low privileges to subscribe to and receive real-time chat data from other users by guessing or obtaining a valid stream ID. The exposed data includes sensitive chat messages, AI-generated responses, and tool invocation details, leading to a breach of confidentiality. The vulnerability does not affect data integrity or availability and does not require user interaction beyond authentication. The issue was addressed and patched in version 0.8.2 of LibreChat. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality impact. No known exploits are reported in the wild as of the publication date. The vulnerability highlights the importance of strict access control checks on real-time data streaming endpoints in AI chat platforms.

The primary impact of CVE-2026-31950 is the unauthorized disclosure of sensitive chat content in real-time, compromising user confidentiality. Organizations deploying vulnerable LibreChat versions risk exposure of private conversations, AI-generated insights, and potentially sensitive tool invocation data. This could lead to privacy violations, leakage of proprietary or personal information, and erosion of user trust. Although the vulnerability does not affect data integrity or availability, the confidentiality breach can have serious consequences in sectors such as healthcare, finance, legal, and government where sensitive data is frequently discussed. Attackers with low-level authenticated access can exploit this flaw without user interaction, increasing the risk of insider threats or lateral movement attacks. The scope is limited to organizations using affected LibreChat versions, but given LibreChat’s positioning as an open-source AI chat platform, the vulnerability could affect a broad range of enterprises and developers integrating AI chat capabilities. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation.

To mitigate CVE-2026-31950, organizations should immediately upgrade LibreChat to version 0.8.2 or later, where the access control flaw is patched. Until upgrade, restrict access to the SSE streaming endpoint (/api/agents/chat/stream/:streamId) by implementing additional network-level controls such as IP whitelisting or VPN-only access. Enforce strict authentication and authorization checks on all streaming endpoints to verify user ownership of requested resources. Conduct code reviews and penetration testing focused on access control mechanisms in real-time data streams. Monitor logs for unusual access patterns or repeated attempts to guess stream IDs. Educate developers on secure design principles for SSE and similar streaming technologies, emphasizing the need for robust session and resource validation. Consider implementing rate limiting and anomaly detection to prevent brute force enumeration of stream IDs. Finally, maintain an up-to-date inventory of LibreChat deployments and ensure timely application of security patches.