External risk intelligence

LibreChat OAuth Token Theft Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54030

LibreChat is typically deployed as a web application or chat interface, which are commonly internet-facing services. Because it functions as a user-accessible web application, it is often exposed to the network to allow remote user interaction.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in LibreChat, an AI platform that supports multiple providers, due to an issue in its OAuth implementation. This flaw could allow a compromised server to intercept access tokens intended for legitimate services, potentially leading to unauthorized access. The primary concern is to verify if your instance of LibreChat is affected and to ensure it is updated to the latest version.

  • OAuth flaw may steal access tokens.
  • Verify if your LibreChat instance is affected.
  • Confirm relevance and exposure of your systems.

Attack Path

How an attacker could exploit the issue

An attacker could trick a user into interacting with a malicious OAuth server, which then allows them to steal access tokens intended for the legitimate LibreChat server. This occurs because LibreChat's OAuth implementation does not properly verify the resource parameter, enabling the malicious server to impersonate the legitimate one.

  • Requires user interaction with a malicious server.
  • Vulnerable OAuth implementation.
  • Token theft and unauthorized access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow a malicious server to intercept access tokens intended for LibreChat's legitimate OAuth provider when a user attempts to authenticate through a compromised or rogue MCP server. This could lead to unauthorized access to user accounts and potentially sensitive information managed by LibreChat.

  • User access tokens.
  • User authenticates to malicious MCP server.
  • Account takeover possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

LibreChat deployments are likely the responsibility of application owners or platform teams managing the chat interface, with potential involvement from network and security teams for exposure review. The immediate priority is to identify all instances of LibreChat, determine their reachability and business criticality, and then confirm the accountable owner before planning remediation based on assessed risk.

  • Application owners must manage the issue.
  • Verify network reachability and business criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is LibreChat?

LibreChat is a platform that functions as an enhanced, open-source clone of ChatGPT. It allows users to interface with multiple AI models and providers through a single web-based dashboard. It acts as a bridge, managing connections and authentication between the user and various AI services, making it a central point for AI-assisted workflows.

What does CWE-346 mean for CVE-2026-54030?

CWE-346 refers to Improper Validation of Origin. In this CVE, the software fails to verify that the 'resource' parameter in OAuth metadata matches the expected server URL. Because of this weakness, the application cannot reliably distinguish between a legitimate AI provider and a malicious one, effectively allowing an untrusted entity to pose as a valid service to intercept sensitive authentication tokens.

How is this token theft triggered?

An attacker triggers this by convincing a user to interact with a malicious MCP (Model Context Protocol) server. The software does not check the destination of the OAuth exchange, so it mistakenly sends tokens to the attacker's server instead of the intended service. Note that simply running the software in an isolated environment without connecting to rogue or unverified external MCP servers does not trigger this specific vulnerability.

Is my LibreChat instance at risk?

If your instance is internet-facing, it is considered more likely to be accessed by users who might be lured to interact with external services, according to Halo Surface Signal. Even if the application is internal, the risk remains if users have the ability to configure or connect to untrusted MCP servers. You should evaluate your deployment's connectivity and the trustworthiness of any third-party providers currently integrated into your chat environment.

Do I need to update LibreChat?

Yes, you should update to version 0.8.5 or later. This release introduces the necessary validation logic to ensure the resource parameter is checked against the configured server URL. Start by identifying all active instances in your environment, verify their version numbers, and prioritize applying the update to prevent unauthorized token interception.

References