CVE-2026-31944 Overview
CVE-2026-31944 is an authentication bypass vulnerability in LibreChat, a ChatGPT clone with additional features. The vulnerability exists in the MCP (Model Context Protocol) OAuth callback endpoint, which accepts redirects from identity providers and stores OAuth tokens without properly verifying that the browser accessing the redirect URL is logged in or that the authenticated user matches the user who initiated the OAuth flow.
This flaw enables a sophisticated attack where an attacker can send an authorization URL to a victim. When the victim completes the OAuth authentication flow, their OAuth tokens are incorrectly stored on the attacker's LibreChat account rather than their own. This enables complete account takeover of the victim's MCP-linked services, including enterprise platforms such as Atlassian and Outlook.
Critical Impact
Attackers can hijack OAuth tokens for MCP-linked services (Atlassian, Outlook, etc.) by tricking victims into completing OAuth flows, enabling unauthorized access to victim accounts on connected platforms.
Affected Products
- LibreChat 0.8.2
- LibreChat 0.8.2-rc1
- LibreChat 0.8.2-rc2
- LibreChat 0.8.2-rc3
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-31944 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-31944
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The core issue lies in the MCP OAuth callback endpoint's failure to implement proper session binding and user verification during the OAuth token exchange process.
In a properly implemented OAuth flow, the callback endpoint should verify that the user who initiated the authorization request is the same user completing the flow. This is typically accomplished through state parameters, session cookies, or other binding mechanisms that cryptographically tie the OAuth session to a specific authenticated user.
LibreChat's implementation accepts OAuth tokens and stores them based solely on information contained within the OAuth flow itself, without cross-referencing the current authenticated session or validating user identity. This architectural oversight creates a critical authentication bypass that can be exploited through social engineering.
The vulnerability has a network-based attack vector requiring low privileges and user interaction. The impact is significant, with high confidentiality impact due to unauthorized access to connected service accounts, and low integrity impact through potential unauthorized actions on linked platforms.
Root Cause
The root cause of this vulnerability is the absence of proper session binding in the MCP OAuth callback handler. The endpoint fails to implement critical security checks:
- Missing session validation: The callback endpoint does not verify that a valid LibreChat session exists for the requesting browser
- No user binding verification: There is no mechanism to ensure the user completing the OAuth flow matches the user who initiated it
- Improper state parameter handling: The OAuth state parameter is not properly tied to a specific authenticated user session
This allows attackers to craft authorization URLs that, when completed by victims, result in OAuth tokens being stored against the attacker's account rather than the victim's account.
Attack Vector
The attack follows a social engineering approach combined with the OAuth flow manipulation:
- Preparation: The attacker creates a LibreChat account and initiates an MCP OAuth connection to a target service (e.g., Atlassian, Outlook)
- URL Capture: The attacker captures the authorization URL before completing their own OAuth flow
- Victim Targeting: The attacker sends this authorization URL to a victim through phishing or other social engineering methods
- Victim Completion: When the victim clicks the link and authenticates with their own credentials on the identity provider, they unknowingly complete the OAuth flow
- Token Hijacking: The victim's OAuth tokens are stored on the attacker's LibreChat account due to the missing session binding
- Account Access: The attacker can now access the victim's MCP-linked services through their own LibreChat account
For technical details and exploitation specifics, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-31944
Indicators of Compromise
- OAuth callback requests from IP addresses or user agents inconsistent with the user who initiated the OAuth flow
- Multiple OAuth token storage events for different identity provider accounts linked to a single LibreChat user
- Unusual access patterns to MCP-linked services from previously inactive LibreChat accounts
- Discrepancies between OAuth authorization initiation timestamps and callback completion timestamps
Detection Strategies
- Implement logging for all OAuth callback events, capturing session identifiers, IP addresses, and user agent strings
- Monitor for OAuth flows where the callback completion occurs from a different client than the initiation
- Alert on patterns of OAuth token acquisition that suggest token harvesting (multiple tokens for different users)
- Review MCP service access logs for unusual patterns following OAuth token acquisitions
Monitoring Recommendations
- Enable detailed audit logging for all OAuth-related endpoints in LibreChat
- Configure alerts for OAuth callback events with mismatched session data
- Monitor connected MCP services (Atlassian, Outlook) for unauthorized access patterns
- Implement rate limiting and anomaly detection on OAuth flow initiations
How to Mitigate CVE-2026-31944
Immediate Actions Required
- Upgrade LibreChat to version 0.8.3-rc1 or later immediately
- Review existing OAuth token associations for any suspicious linkages
- Revoke and reauthorize all MCP OAuth connections after upgrading
- Notify users to review their connected service accounts for unauthorized access
Patch Information
The vulnerability has been addressed in LibreChat version 0.8.3-rc1. The fix implements proper session binding and user verification in the MCP OAuth callback endpoint. Organizations should upgrade to this version or later to remediate the vulnerability.
For complete patch details, see the GitHub Security Advisory for GHSA-vf7j-7mrx-hp7g.
Workarounds
- Disable MCP OAuth integrations until the patch can be applied
- Implement network-level access controls to restrict OAuth callback endpoints to known, trusted IP ranges
- Train users to be cautious of unexpected OAuth authorization requests
- Consider implementing additional WAF rules to detect and block suspicious OAuth callback patterns
# Configuration example - Disable MCP integrations in LibreChat
# Add to your LibreChat configuration or environment variables
MCP_ENABLED=false
OAUTH_MCP_INTEGRATIONS_ENABLED=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
