Server-Side Request Forgery (SSRF) in LibreChat - CVE-2026-31943
Published: April 27, 2026
Vulnerability identifier: #VU128114
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-31943
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LibreChat
Affected software:
LibreChat
LibreChat
Detailed vulnerability description
The vulnerability allows a remote user to make the server issue HTTP requests to internal network resources and disclose sensitive information.
The vulnerability exists due to server-side request forgery in isPrivateIP() in packages/api/src/auth/domain.ts when processing IPv4-mapped IPv6 addresses in hex-normalized form. A remote user can supply a specially crafted domain value to make the server issue HTTP requests to internal network resources and disclose sensitive information.
Exploitation requires permission to create or execute agent actions, and affected call sites include action creation, action execution, and MCP server connections.
How to mitigate CVE-2026-31943
Install security update from vendor's website.