CVE-2026-32625 Overview
LibreChat is an open-source ChatGPT clone that integrates multiple AI providers and supports the Model Context Protocol (MCP). CVE-2026-32625 is a critical information disclosure vulnerability [CWE-200] affecting LibreChat versions up to and including 0.8.3. The flaw exists in the MCP server integration, which resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can register a malicious MCP server pointing to an attacker-controlled domain and exfiltrate sensitive secrets, including CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI. The maintainers patched the issue in version 0.8.4-rc1.
Critical Impact
Authenticated attackers can exfiltrate cryptographic keys and database credentials without administrative privileges, enabling full compromise of the LibreChat installation.
Affected Products
- LibreChat versions 0.8.3 and earlier
- LibreChat deployments using the Model Context Protocol (MCP) integration
- LibreChat instances where authenticated users can configure MCP servers
Discovery Timeline
- 2026-06-02 - CVE-2026-32625 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-32625
Vulnerability Analysis
The vulnerability resides in the Zod schema validation layer that processes user-supplied MCP server URLs. During validation, LibreChat expands ${VAR} template placeholders by reading values directly from the server's process.env. The substitution occurs before any allow-list checks on the destination host. An authenticated user can submit a URL such as https://attacker.example/${JWT_SECRET}, causing the LibreChat backend to interpolate the environment variable into the outbound request path. When the server then connects to the MCP endpoint, the secret is transmitted in the URL query or path component to the attacker.
Because LibreChat stores its database credentials, JSON Web Token (JWT) signing keys, and credential encryption keys in environment variables, a single successful request leaks the entire cryptographic trust base. With CREDS_KEY and CREDS_IV, an attacker can decrypt stored third-party API keys. With JWT_SECRET, the attacker can forge authentication tokens for any user, including administrators. The MONGO_URI provides direct read-write access to the application's MongoDB instance.
Root Cause
The root cause is unsafe expansion of environment variable references on untrusted input. The configuration parser treats user-supplied strings as templates rather than literals, violating the principle that user input must never be evaluated against server-side secrets.
Attack Vector
The attack requires only a low-privilege authenticated account. The attacker creates an MCP server configuration whose URL contains environment variable placeholders pointing at a domain they control. When LibreChat resolves the placeholders and initiates the connection, the secrets are appended to the request and captured in the attacker's web server logs. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-32625
Indicators of Compromise
- Outbound HTTPS connections from the LibreChat backend to domains not present in the organization's MCP allow-list.
- Request URLs in egress proxy logs containing high-entropy strings resembling base64 or hex secrets in the path or query.
- MCP server configurations stored in MongoDB whose url field contains ${ substring references.
- Unexpected JWT issuance or session activity from accounts after MCP server creation events.
Detection Strategies
- Audit the LibreChat MongoDB mcpServers collection for URL values containing ${ or environment variable names.
- Inspect web server and proxy logs for outbound requests originating from the LibreChat process with embedded credential-like tokens.
- Correlate MCP configuration creation events with subsequent outbound connections to newly observed external domains.
Monitoring Recommendations
- Enable egress filtering and log all outbound HTTP requests from the LibreChat application container.
- Alert on creation or modification of MCP server records by non-administrative accounts.
- Monitor for use of the JWT_SECRET indicators such as tokens signed outside the application's normal issuance flow.
How to Mitigate CVE-2026-32625
Immediate Actions Required
- Upgrade LibreChat to version 0.8.4-rc1 or later immediately.
- Rotate all secrets exposed through environment variables, including CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI.
- Re-encrypt stored third-party API credentials after rotating CREDS_KEY and CREDS_IV.
- Invalidate all existing user sessions and force re-authentication after rotating JWT_SECRET.
Patch Information
The maintainers released a fix in LibreChat 0.8.4-rc1. The patch removes environment variable interpolation from user-supplied MCP server URLs during schema validation. Review the GitHub Security Advisory GHSA-4pcc-j6m6-wcwx for the full remediation notes and commit references.
Workarounds
- Restrict MCP server configuration to trusted administrators by disabling user-level MCP creation until the patch is applied.
- Apply strict egress network policies that only allow outbound connections to a defined MCP server allow-list.
- Remove sensitive secrets from process.env and load them through a runtime secrets manager that is not exposed to template interpolation.
# Upgrade LibreChat to the patched release
git fetch --tags
git checkout v0.8.4-rc1
npm install
npm run build
# Rotate exposed secrets (example placeholders)
export CREDS_KEY="$(openssl rand -hex 32)"
export CREDS_IV="$(openssl rand -hex 16)"
export JWT_SECRET="$(openssl rand -hex 64)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
