HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-32625Published Modified CNA GitHub_M

CVE-2026-32625: LibreChat Exfiltrates Server Secrets via MCP Server URL Injection

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can create a malicious MCP server configuration with a URL pointing to an attacker-controlled domain containing environment variable references, causing the LibreChat server to connect to the attacker's server and transmit critical secrets such as CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI in the request URL. This enables full compromise of the installation's cryptographic materials and database credentials without requiring administrative privileges. This is patched in version 0.8.4-rc1.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side template injection vulnerability affects LibreChat versions up to and including 0.8.3. Any authenticated user can craft a malicious MCP server URL containing environment variable placeholders (in the form ${VAR}), which LibreChat resolves against its own process environment during schema validation, then transmits to an attacker-controlled host. Successful exploitation exposes cryptographic secrets and database credentials, enabling full compromise of the installation. A patched-image rebuild at version 0.8.4-rc1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-32625 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built LibreChat images, in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) and applies per-environment compliance policy weighting to determine priority and routing, directing alerts to the appropriate team inbox within each customer organization.

Available
Patch

Because a fix exists at version 0.8.4-rc1, a patched-image rebuild at that version is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the LibreChat service over the network to submit a crafted MCP server configuration.

  • AuthenticationRequired

    Any low-privilege user account is sufficient; no administrative access is needed to supply a malicious MCP server URL.

  • Victim interactionNot required

    No user interaction beyond the attacker's own session is needed; the server resolves environment variables and makes the outbound request automatically during validation.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply provides a URL with ${VAR} placeholders and receives the resolved secrets at their endpoint.

Blast Radius

  • Reads high-value server secrets including CREDS_KEY, CREDS_IV, and JWT_SECRET, which are transmitted in plaintext to the attacker's endpoint via the outbound connection.
  • Reads the MONGO_URI credential, giving the attacker direct connection details for the backing database.
  • With possession of JWT_SECRET, the attacker forges valid session tokens for any user, including administrators, achieving full account takeover.
  • With CREDS_KEY and CREDS_IV, the attacker decrypts any credentials stored in LibreChat's encrypted credential store, exposing all saved API keys and provider tokens.

How HarborGuard Handles This

Available on HarborGuard: images running LibreChat at or below 0.8.3 are flagged Critical, and a patched-image rebuild at version 0.8.4-rc1 is available for those environments. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the fix version, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Because no general-availability fix has been published (only a release candidate), customers who cannot immediately redeploy should consider applying network-policy controls that block unexpected outbound connections from the LibreChat container to untrusted external hosts, limiting the blast radius of the outbound secret transmission. HarborGuard re-checks the advisory on each ingest cycle and will surface the stable fix version the moment it is published upstream.

See how HarborGuard automates this
Affected packages
  • danny-avila / LibreChat
    < 0.8.4-rc1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References