LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch.
{
"cwe_ids": [
"CWE-918"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31945.json",
"cna_assigner": "GitHub_M"
}{
"cpe": [
"cpe:2.3:a:librechat:librechat:0.8.2:-:*:*:*:*:*:*",
"cpe:2.3:a:librechat:librechat:0.8.2:rc2:*:*:*:*:*:*",
"cpe:2.3:a:librechat:librechat:0.8.2:rc3:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0.8.2-rc2"
},
{
"fixed": "0.8.3-rc1"
},
{
"introduced": "0.8.2-NA"
},
{
"last_affected": "0.8.2-NA"
},
{
"last_affected": "0.8.2-rc2"
},
{
"introduced": "0.8.2-rc3"
},
{
"last_affected": "0.8.2-rc3"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_STRING"
]
}