CVE-2026-32625

Source
https://cve.org/CVERecord?id=CVE-2026-32625
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32625.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32625
Aliases
  • GHSA-4pcc-j6m6-wcwx
Published
2026-06-02T22:35:00.859Z
Modified
2026-07-08T08:13:03.291685Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
LibreChat Exfiltrates Server Secrets via MCP Server URL Injection
Details

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can create a malicious MCP server configuration with a URL pointing to an attacker-controlled domain containing environment variable references, causing the LibreChat server to connect to the attacker's server and transmit critical secrets such as CREDSKEY, CREDSIV, JWTSECRET, and MONGOURI in the request URL. This enables full compromise of the installation's cryptographic materials and database credentials without requiring administrative privileges. This is patched in version 0.8.4-rc1.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32625.json"
}
References

Affected packages

Git / github.com/danny-avila/librechat

Affected ranges

Type
GIT
Repo
https://github.com/danny-avila/librechat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.4-rc1"
        },
        {
            "fixed": "0.8.4"
        }
    ],
    "cpe": "cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

chart-1.*
chart-1.9.0
chart-1.9.1
chart-1.9.2
chart-1.9.3
chart-1.9.4
chart-1.9.5
chart-1.9.6
chart-1.9.7
chart-1.9.8
chart-1.9.9
chart-2.*
chart-2.0.0
chart-2.0.1
librechat-1.*
librechat-1.8.9
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.6
v0.1.0
v0.1.1
v0.2.0
v0.3.0
v0.3.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.10
v0.6.5
v0.6.6
v0.6.9
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.3-rc
v0.7.3-rc2
v0.7.4
v0.7.4-rc1
v0.7.5
v0.7.5-rc1
v0.7.5-rc2
v0.7.6
v0.7.6-rc1
v0.7.7
v0.7.7-rc1
v0.7.8
v0.7.8-rc1
v0.7.9
v0.7.9-rc1
v0.8.0
v0.8.0-rc1
v0.8.0-rc2
v0.8.0-rc3
v0.8.0-rc4
v0.8.1
v0.8.1-rc1
v0.8.1-rc2
v0.8.2
v0.8.2-rc1
v0.8.2-rc2
v0.8.2-rc3
v0.8.3
v0.8.3-rc1
v0.8.3-rc2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32625.json"