SB2026042790 - Information disclosure in LibreChat



SB2026042790 - Information disclosure in LibreChat

Published: April 27, 2026

Security Bulletin ID SB2026042790
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Information disclosure (CVE-ID: CVE-2026-31951)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in MCP server header processing when handling tool calls to user-created MCP servers. A remote user can create a malicious MCP server with crafted header placeholders to disclose sensitive information.

User interaction is required, and credential substitution in headers occurs during subsequent tool calls rather than initial connection or inspection. OAuth token exposure requires OpenID SSO to be configured and the victim to be authenticated through it.


Remediation

Install update from vendor's website.