CVE-2026-32625 · LibreChat is an enhanced ChatGPT clone that supports multiple AI providers.

01 · The Real Story

This is a receptionist badge that quietly opens the key vault once you’re inside the lobby

LibreChat versions <= 0.8.3 let an authenticated user create an MCP server entry whose URL contains ${ENV_VAR} placeholders. During validation, LibreChat resolves those placeholders against the server process environment, then immediately performs a server-side connection test to the attacker-controlled URL. That turns a low-privileged MCP configuration action into outbound exfiltration of high-value secrets such as JWT_SECRET, CREDS_KEY, CREDS_IV, and potentially MONGO_URI.

The vendor's CRITICAL 9.6 score is technically defensible on *impact* because leaked JWT signing material and encryption keys can collapse the trust boundary for the entire instance. But for enterprise patch prioritization, the score runs hot: exploitation requires authenticated remote access to LibreChat first, and LibreChat is a self-hosted, comparatively narrow product with far smaller exposed population than mainstream edge software. Real-world severity is still serious, but it is *post-auth serious*, not *drop-everything pre-auth edge RCE* serious.

"Massive impact, but it is still a post-auth bug in a niche self-hosted app—not an internet-scale pre-auth fire."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Obtain a valid LibreChat user session

The attacker needs any authenticated LibreChat account able to hit POST /api/mcp/servers. The advisory explicitly says a default registered user is sufficient; no admin role is required. In practice this means SSO users, self-registered users, or any previously compromised account can be used.

Conditions required:

Authenticated remote access to LibreChat
Ability to create or submit MCP server configuration
Target is running LibreChat <= 0.8.3

Where this breaks in practice:

Many enterprise deployments restrict registration and gate access behind SSO/VPN
Some organizations disable or do not expose MCP features to ordinary users
This is unusable for a purely unauthenticated internet attacker

Detection/coverage: Identity telemetry and app logs should show a successful login plus a request to POST /api/mcp/servers, but generic vulnerability scanners will usually miss the precondition because they cannot authenticate and exercise the feature path.

STEP 02

Submit a malicious MCP URL with env-var placeholders

Using curl or equivalent tooling, the attacker creates an MCP server config whose url includes ${JWT_SECRET}, ${CREDS_KEY}, or similar placeholders in the query string. The vulnerable schema path resolves these placeholders during user-input handling instead of treating them as inert text.

Conditions required:

User can send crafted JSON to the MCP server creation endpoint
LibreChat still uses the vulnerable schema path

Where this breaks in practice:

If the instance is already upgraded to v0.8.4-rc1 or later, the request is rejected
Role-based controls or feature flags around MCP server creation can block this step

Detection/coverage: Good application logging or reverse-proxy logging can catch suspicious ${...} patterns in MCP URL fields. Most SCA tools only flag by package version; they do not validate exploitability.

STEP 03

LibreChat resolves secrets and calls out

LibreChat's validation flow resolves the environment variables and MCPServerInspector.inspect() immediately initiates an outbound connection to the attacker-controlled host. The attacker receives an HTTP request containing the resolved secrets in the URL, without needing any victim interaction beyond the initial API call.

Conditions required:

LibreChat container/server has outbound network reachability to the attacker domain
No egress control blocks arbitrary HTTP/S or WebSocket destinations

Where this breaks in practice:

Strong egress filtering or proxy allowlists can stop the callback
DNS filtering or container network policy may prevent arbitrary external destinations

Detection/coverage: EDR/NDR/proxy logs can catch unusual outbound traffic from the LibreChat container to newly seen domains or IPs. Network scanners will not see this; behavior monitoring is the right layer.

STEP 04

Turn leaked secrets into full instance compromise

With JWT_SECRET, an attacker can forge valid session tokens; with CREDS_KEY and CREDS_IV, they can decrypt stored provider keys, OAuth tokens, and plugin credentials if database access is obtained or already present. If MONGO_URI is exposed and reachable, the attacker may also gain direct database access. This is where the vulnerability stops being 'just disclosure' and becomes practical control over the application trust model.

Conditions required:

Leaked secrets are still active and unrotated
Attacker can use forged JWTs or leverage exposed database credentials

Where this breaks in practice:

Token audience/claim validation and downstream authorization checks may constrain some forged-session abuse
Database network segmentation can limit follow-on use of MONGO_URI
Secret rotation after detection cuts off the path

Detection/coverage: Look for impossible-travel or anomalous JWT usage, sudden access to admin-only flows, and database authentication from unexpected sources. No off-the-shelf scanner reliably proves this post-exfiltration stage.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found in primary sources reviewed. CISA KEV search returned no result for `CVE-2026-32625`, and the user-provided KEV status of No is consistent with that.
Proof-of-concept availability	A workable PoC is embedded directly in the GitHub advisory using `curl` plus `nc`; I did not find a separate weaponized exploit repo in the sources reviewed.
EPSS	No reliable per-CVE EPSS score was located for `CVE-2026-32625` in the browsed sources. Treat EPSS as not yet available / not yet indexed rather than low.
KEV status	Not KEV-listed as assessed from the absence of a CISA result for the CVE and the user intel. No federal remediation deadline is attached.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N` — the important real-world qualifier is `PR:L`: this is authenticated remote abuse, not unauthenticated edge compromise.
Affected versions	Upstream GitHub advisory lists LibreChat `<= 0.8.3` as affected.
Fixed versions	Patched upstream in `v0.8.4-rc1`; the stable `v0.8.4` release followed on 2026-03-20 and includes the broader security hardening release train. No distro backports were found in the reviewed sources.
Exposure / population	LibreChat is meaningfully adopted but not internet-ubiquitous. Public GitHub package metadata shows `v0.8.4` container downloads above 200k, which supports 'material deployment footprint' but is not the same thing as internet exposure. I found no open-source Shodan/Censys/FOFA count for this CVE path.
Disclosure timeline	Security advisory published 2026-06-02. The fixing PR `#12204` merged earlier on 2026-03-13, and `v0.8.4-rc1` was tagged 2026-03-17.
Reporter / researcher	GitHub advisory credits YLChen-007 as reporter.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.6/10)

The single biggest reason this is HIGH instead of CRITICAL is the attacker-position requirement: exploitation starts with an authenticated LibreChat user, which makes this a post-auth application compromise path rather than a pre-auth internet-edge event. The main amplifier keeping it high is that the secrets exposed (JWT_SECRET, encryption keys, database URI) can undermine the entire instance once leaked.

HIGH Affected versions, fix version, and core exploit mechanics from the vendor advisory and fix PR

MEDIUM Population/exposure assessment across real enterprise deployments

MEDIUM Absence of public exploitation evidence at time of assessment

Why this verdict

Downgrade for attacker position: the chain starts at *authenticated remote*, which implies either prior compromise, valid insider access, or intentionally broad user enrollment.
Keep it high for blast radius: leaking JWT_SECRET, CREDS_KEY, and CREDS_IV can invalidate the security boundary of the whole LibreChat instance, not just one user account.
Downgrade for reachable population: LibreChat is a self-hosted AI frontend with meaningful but limited enterprise exposure; this is not a mass-exposed appliance or ubiquitous browser/runtime bug.
Downgrade for control friction: outbound callback to an attacker host is central to the exploit, so proxy allowlists, egress filtering, and container network policy can break the chain.
No exploitation multiplier: no KEV listing and no primary-source evidence of active campaigns were found, so there is no reason to override into emergency-kev severity.

Why not higher?

This is not unauthenticated remote compromise. Requiring a valid LibreChat user session materially narrows who can exploit it and usually implies the attacker is already inside an identity boundary. The exploit also depends on successful outbound connectivity from the LibreChat server to attacker infrastructure, which many mature environments can restrict.

Why not lower?

Calling this medium would ignore what is actually being leaked. Once JWT_SECRET and encryption material leave the box, the attacker can plausibly forge sessions and unlock stored provider credentials, which is far beyond a minor data exposure. The follow-on blast radius is large enough that this still belongs in the high-priority queue.

05 · Compensating Control

What to do — in priority order.

Block arbitrary egress from LibreChat — Restrict the LibreChat container or host so it can only reach approved MCP destinations and required upstream services; deny generic outbound internet access. This directly breaks the exfiltration callback stage and should be deployed within 30 days if you cannot patch immediately.
Disable user-managed MCP server creation — Temporarily remove or gate the ability for ordinary users to create custom MCP servers until all instances are upgraded. This cuts off the attacker-controlled input path and should be enforced within 30 days on affected deployments.
Constrain LibreChat behind SSO/VPN — If any instance is internet-accessible, put it behind enterprise SSO, VPN, or both, and disable open self-registration where possible. That reduces the pool of attackers who can satisfy the PR:L prerequisite and should be done within 30 days for exposed systems.
Hunt for suspicious MCP URLs — Search app, proxy, and API logs for POST /api/mcp/servers plus URL values containing ${, attacker domains, or unusual query strings. Start this review now and complete the initial sweep within 30 days so you can decide whether key rotation is required.
Prepare secret rotation — Have a runbook ready to rotate JWT_SECRET, CREDS_KEY, CREDS_IV, and any provider credentials if you find evidence of abuse or cannot rule it out. The prep work belongs within 30 days, even if rotation is only triggered by compromise indicators.

What doesn't work

A WAF alone does not solve this; the exploit is an authenticated JSON API call followed by a server-side outbound connection, not a classic web payload the WAF will reliably understand.
MFA alone is not enough; it helps prevent account compromise, but any legitimate low-privileged user account can still trigger the bug on a vulnerable instance.
Relying on SSRF protections that only block private IPs does not help here; the advisory explicitly notes the attacker can use an external domain and still exfiltrate secrets.

06 · Verification

Crowdsourced verification payload.

Run this on the LibreChat host or inside the LibreChat container. Invoke it as bash check_cve_2026_32625.sh /path/to/LibreChat or bash check_cve_2026_32625.sh --container librechat. It needs local read access to the install path or permission to run docker inspect / docker exec.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_32625.sh
# Detect likely exposure to CVE-2026-32625 in LibreChat.
# Outputs one of: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/runtime error

set -u

usage() {
  echo "Usage: $0 <librechat_path> | --container <docker_container_name>"
}

normalize_version() {
  local v="$1"
  v="${v#v}"
  echo "$v"
}

classify_version() {
  local raw="$1"
  local v
  v="$(normalize_version "$raw")"

  # Known vulnerable range from advisory: <= 0.8.3
  # Known fixed version: 0.8.4-rc1 and later.
  case "$v" in
    0.8.0*|0.8.1*|0.8.2*|0.8.3*)
      echo "VULNERABLE"
      return 1
      ;;
    0.8.4-rc1*|0.8.4-rc2*|0.8.4*|0.8.5*|0.8.6*|0.9*|1.*)
      echo "PATCHED"
      return 0
      ;;
    *)
      echo "UNKNOWN"
      return 2
      ;;
  esac
}

extract_version_from_path() {
  local base="$1"
  local f
  for f in \
    "$base/package.json" \
    "$base/client/package.json" \
    "$base/api/package.json" \
    "$base/node_modules/@librechat/api/package.json"; do
    if [ -f "$f" ]; then
      local ver
      ver=$(grep -E '"version"\s*:\s*"[^"]+"' "$f" | head -n1 | sed -E 's/.*"version"\s*:\s*"([^"]+)".*/\1/')
      if [ -n "$ver" ]; then
        echo "$ver"
        return 0
      fi
    fi
  done
  return 1
}

extract_version_from_container() {
  local c="$1"

  if ! command -v docker >/dev/null 2>&1; then
    return 1
  fi

  local image
  image=$(docker inspect --format '{{.Config.Image}}' "$c" 2>/dev/null) || return 1

  # Prefer explicit image tag if present.
  if echo "$image" | grep -q ':'; then
    local tag="${image##*:}"
    if [ -n "$tag" ] && [ "$tag" != "$image" ]; then
      echo "$tag"
      return 0
    fi
  fi

  # Fallback: inspect package.json inside the container.
  local ver
  ver=$(docker exec "$c" sh -lc '
    for f in /app/package.json /app/client/package.json /app/api/package.json /app/node_modules/@librechat/api/package.json; do
      if [ -f "$f" ]; then
        grep -E '"'"'version"'"'\s*:\s*"'"'[^"']+'"'"' "$f" | head -n1 | sed -E 's/.*"'"'version"'"'\s*:\s*"'"'([^"']+)"'"'.*/\1/' && exit 0
      fi
    done
    exit 1
  ' 2>/dev/null) || true

  if [ -n "$ver" ]; then
    echo "$ver"
    return 0
  fi

  return 1
}

if [ "$#" -lt 1 ]; then
  usage
  echo "UNKNOWN"
  exit 3
fi

version=""

if [ "$1" = "--container" ]; then
  if [ "$#" -ne 2 ]; then
    usage
    echo "UNKNOWN"
    exit 3
  fi
  version=$(extract_version_from_container "$2") || true
else
  if [ "$#" -ne 1 ]; then
    usage
    echo "UNKNOWN"
    exit 3
  fi
  version=$(extract_version_from_path "$1") || true
fi

if [ -z "$version" ]; then
  echo "UNKNOWN"
  exit 2
fi

classify_version "$version"
exit $?

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull an inventory of every LibreChat instance and isolate anything running <= 0.8.3. If you cannot upgrade immediately, disable ordinary-user MCP server creation and clamp outbound network access from the LibreChat host/container to approved destinations within 30 days under the noisgate mitigation SLA; then move all affected systems to v0.8.4-rc1 or preferably stable v0.8.4+ within 180 days under the noisgate remediation SLA. For any instance that was internet-reachable or had broad self-registration, compress that work into the current sprint and review whether JWT_SECRET, CREDS_KEY, CREDS_IV, and stored provider credentials need rotation.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.