SB2026042790 - Information disclosure in LibreChat
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Information disclosure (CVE-ID: CVE-2026-31951)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in MCP server header processing when handling tool calls to user-created MCP servers. A remote user can create a malicious MCP server with crafted header placeholders to disclose sensitive information.
User interaction is required, and credential substitution in headers occurs during subsequent tool calls rather than initial connection or inspection. OAuth token exposure requires OpenID SSO to be configured and the victim to be authenticated through it.
Remediation
Install update from vendor's website.