External risk intelligence

LibreChat Server Information Disclosure Risk

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-32625

An authenticated user can exploit a vulnerability in LibreChat's server integration to expose sensitive credentials. This could lead to a compromise of cryptographic materials and database access for the affected organization. The risk involves unauthorized access to critical business data.

4Halo Surface Signal

Information Disclosure

Librechat

before 0.8.4

External exposure likelihood

Halo Surface Signal score for CVE-2026-32625

LibreChat is commonly deployed as an internet-facing web application or service to provide chat interface capabilities to users. As a web-based AI integration platform, it is typically hosted as an externally reachable web application, making its interfaces and configuration functions accessible via the network.

PCI scan relevance

PCI Relevance for CVE-2026-32625

Yes

CVE-2026-32625 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in LibreChat allows authenticated users to steal sensitive information like cryptographic keys and database credentials.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

LibreChat, a platform designed to replicate ChatGPT's functionality with multiple AI providers, has a vulnerability in its Model Context Protocol (MCP) server integration. This flaw allows authenticated users to configure a malicious MCP server. When the LibreChat server processes this configuration, it can expose sensitive information to an attacker. The potential consequences include the compromise of cryptographic materials and database credentials for the entire installation.

  • Vulnerable component: LibreChat MCP server integration
  • Core weakness: Resolves user-supplied URLs, exposing secrets.
  • Main business impact: Compromise of credentials and secrets.

Attack Path

How an attacker could exploit the issue

This vulnerability allows an authenticated user to gain control over an organization's cryptographic materials and database credentials. By creating a malicious server configuration, an attacker can trick the LibreChat server into connecting to a controlled domain. This connection transmits sensitive environment variables, such as secret keys and database URIs, directly within the request URL. This access enables a full compromise of the installation's security.

  • Exposure: Vulnerable server integration.
  • Attacker access: Authenticated user.
  • Trigger and result: Malicious URL transmits secrets.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an authenticated user to potentially compromise an organization's LibreChat installation. An attacker could craft a malicious server configuration, leading the LibreChat server to transmit sensitive credentials and cryptographic secrets in the request URL. This could result in a full compromise of critical data, including database credentials and encryption keys.

  • Low skill level attacker.
  • Authenticated access required.
  • High business risk, urgent attention needed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization using LibreChat versions up to and including 0.8.3 should take immediate action to address a critical security vulnerability. This vulnerability allows an authenticated user to craft a malicious server configuration. This configuration can cause the LibreChat server to transmit sensitive credentials, such as cryptographic keys and database connection URIs, to an attacker-controlled domain. Successful exploitation can lead to a full compromise of the installation's security materials. A fix is available in version 0.8.4-rc1.

  • Identify LibreChat installations and versions.
  • Restrict access to MCP server configuration.
  • Update to the patched version and verify.

Frequently asked questions

What is LibreChat and what is it used for?

LibreChat is a software platform designed to mimic the functionality of ChatGPT, offering integration with various AI providers. It allows users to interact with AI models through a chat interface.

How does CVE-2026-32625 expose sensitive information?

This vulnerability, a CWE-200 information exposure, allows an authenticated user to create a malicious configuration. The LibreChat server then reveals secrets like encryption keys and database credentials by sending them in a URL to an attacker's server when validating this configuration.

What are the preconditions for an attacker to exploit CVE-2026-32625?

An attacker must first have authenticated access to the LibreChat system. They then need to set up a malicious server configuration pointing to a domain they control, which includes specific environment variable references.

Who needs to care about this LibreChat vulnerability?

Organizations running LibreChat that is accessible from the internet should be particularly concerned. The Halo Surface Signal indicates this is an externally facing service, meaning it's a potential target for network-based attacks.

What is the first step for users running vulnerable LibreChat versions?

The immediate first step is to identify all LibreChat installations and confirm their versions. If running version 0.8.3 or earlier, access to the MCP server configuration should be restricted and an update to version 0.8.4-rc1 should be planned and verified.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified