Missing Authentication for Critical Function in LibreChat - #VU133263
Published: June 3, 2026
Vulnerability identifier: #VU133263
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: LibreChat
Affected software:
LibreChat
LibreChat
Detailed vulnerability description
The vulnerability allows a remote user to take over two-factor authentication for an account.
The vulnerability exists due to missing authentication for a critical function in the GET /api/auth/2fa/enable endpoint when handling requests for accounts with 2FA already enabled. A remote user can call the endpoint with a valid session token to take over two-factor authentication for an account.
The issue overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false without requiring TOTP or backup code verification.
Remediation
Install security update from vendor's website.