Description
LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP (Model Context Protocol) OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redirect URL is logged in or that the logged-in user matches the initiator. An attacker can send the authorization URL to a victim; when the victim completes the flow, the victim’s OAuth tokens are stored on the attacker’s LibreChat account, enabling account takeover of the victim’s MCP-linked services (e.g. Atlassian, Outlook). This vulnerability is fixed in 0.8.3-rc1.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vf7j-7mrx-hp7g
Scores
CVSS v3
7.6
EPSS
0.0024
EPSS Percentile
15.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-306
Status
published
Products (2)
danny-avila/LibreChat
>= v0.8.2, <= 0.8.2-rc3
librechat/librechat
0.8.2 (4 CPE variants)
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026