Main Vulnerability Database Vulnerabilities #VU133265

Authorization bypass through user-controlled key in LibreChat - CVE-2026-31942

Published: June 3, 2026

Vulnerability identifier: #VU133265

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-31942

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LibreChat

Affected software:
LibreChat

Detailed vulnerability description

The vulnerability allows a remote user to overwrite other users' API keys.

The vulnerability exists due to improper access control in the API keys management endpoint when handling PUT requests to /api/keys. A remote user can inject a userId parameter in the request body to overwrite other users' API keys.

The issue is caused by the request body overriding the authenticated user's ID during key update processing.

How to mitigate CVE-2026-31942

Install security update from vendor's website.

Sources

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5jcj-rh68-cgj7

Authorization bypass through user-controlled key in LibreChat - CVE-2026-31942

Detailed vulnerability description

How to mitigate CVE-2026-31942

Sources

Please verify you're human