CVE-2026-31951 is a vulnerability in the LibreChat application, a ChatGPT clone with extended features, specifically affecting versions 0.8.2-rc1 through 0.8.3-rc1. The flaw arises from the way LibreChat processes user-created MCP (Model Context Protocol) servers, which can include arbitrary HTTP headers. These headers undergo credential placeholder substitution, meaning that placeholders such as {{LIBRECHAT_OPENID_ACCESS_TOKEN}} are replaced with the actual OAuth tokens of the user. An attacker can exploit this by setting up a malicious MCP server that injects headers containing these placeholders. When a victim interacts with this malicious server, their OAuth tokens are exfiltrated to the attacker without their knowledge. This vulnerability exposes sensitive authentication credentials (OAuth tokens) to unauthorized actors, compromising user confidentiality. The vulnerability does not affect data integrity or availability and requires the victim to interact with the malicious MCP server, implying user interaction is necessary. The issue was addressed and fixed in LibreChat version 0.8.3-rc2. The CVSS v3.1 base score is 6.8, indicating a medium severity, with the vector reflecting network attack vector, low attack complexity, requiring privileges, user interaction, and scope change with high confidentiality impact but no integrity or availability impact.

The primary impact of CVE-2026-31951 is the unauthorized disclosure of OAuth access tokens, which can allow attackers to impersonate users and access protected resources or services that rely on these tokens for authentication. This can lead to unauthorized access to user accounts, data leakage, and potential lateral movement within affected environments. Since LibreChat is a ChatGPT clone used for AI-driven chat services, compromised tokens could also lead to abuse of user identities in integrated services or platforms. The vulnerability does not directly compromise system integrity or availability but significantly undermines user privacy and trust. Organizations deploying LibreChat in environments where sensitive or proprietary data is exchanged are at risk of data breaches and compliance violations. The requirement for user interaction and the need to connect to a malicious MCP server somewhat limit the attack surface, but social engineering or supply chain attacks could increase exploitation likelihood. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

1. Upgrade LibreChat immediately to version 0.8.3-rc2 or later, where the vulnerability is patched. 2. Restrict connections to MCP servers to only trusted and verified sources; implement allowlists or certificate pinning to prevent connections to malicious servers. 3. Implement network-level controls such as firewall rules or proxy filtering to block or monitor traffic to untrusted MCP servers. 4. Educate users about the risks of connecting to unknown or untrusted MCP servers and the importance of verifying server authenticity. 5. Monitor OAuth token usage for anomalies that could indicate token theft or misuse, and enforce token expiration and revocation policies aggressively. 6. Consider implementing additional application-layer protections that sanitize or validate HTTP headers received from MCP servers before processing credential placeholders. 7. Conduct regular security audits and penetration testing focused on third-party integrations and user-generated content handling within LibreChat deployments.