HIGH 7.1

CVE-2026-31942: LibreChat IDOR Vulnerability Allows Unauthorized API Key Manipulation

LibreChat versions up to 0.7.6 contain a critical flaw in how API keys are managed. Any authenticated user can manipulate API key settings for other users by injecting parameters into requests, allowing them to replace legitimate API keys (from providers like OpenAI, Anthropic, or Azure) with their own or invalid ones. This means an attacker could intercept conversations through attacker-controlled API endpoints or disable a victim's service entirely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Weaknesses (CWE)
CWE-862
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys management endpoint (PUT /api/keys). Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, any authenticated user can inject a userId parameter in the request body to overwrite any other user's API keys (e.g., OpenAI, Anthropic, Azure). This allows an attacker to replace a victim's API key configuration, potentially routing the victim's conversations through attacker-controlled keys or denying service by providing invalid keys. This is patched in version 0.8.3-rc1.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-31942 is an Insecure Direct Object Reference (IDOR) vulnerability in LibreChat's API key management endpoint (PUT /api/keys). The vulnerability stems from unsafe use of the JavaScript object spread operator following authenticated user ID assignment. When a request is processed, the code sets the user's ID, then applies a spread operator that merges additional properties from the request body. An attacker can exploit this by sending a crafted request with a userId parameter to override another user's configuration. The vulnerability affects the storage and routing of API credentials for third-party AI providers. It is patched in version 0.8.3-rc1.

Business impact

If exploited, this vulnerability could result in unauthorized access to or manipulation of API credentials, leading to several business risks: stolen API keys could be monetized or used to exhaust quota limits; conversations could be rerouted through attacker-controlled infrastructure, creating data exfiltration and compliance risks; service denial attacks become possible by replacing keys with invalid credentials; and customers may face unexpected billing or service interruptions from unauthorized API consumption. For SaaS or self-hosted LibreChat deployments serving multiple users, the reputational and financial impact could be significant.

Affected systems

LibreChat versions 0.7.6 and earlier are vulnerable. The issue has been resolved in version 0.8.3-rc1. Organizations running self-hosted LibreChat instances or relying on LibreChat as part of their AI infrastructure stack should audit their deployment versions immediately.

Exploitability

Exploitation requires valid authentication to LibreChat—an attacker must have a user account. Once authenticated, no special privileges or user interaction is required; the attack is carried out via a simple API request with an injected userId parameter. The network attack surface is accessible, making this feasible for any authenticated user. The CVSS score of 7.1 (HIGH) reflects the combination of low authentication requirements and significant integrity and availability impacts.

Remediation

Upgrade to version 0.8.3-rc1 or later as soon as possible. The patch corrects the object spread operator logic to prevent userId injection. Organizations should also audit existing API key configurations to identify any unauthorized changes or suspicious key history logs. If available, enable API key usage monitoring and rate-limit alerts to detect anomalous consumption patterns.

Patch guidance

Verify your current LibreChat version and upgrade to 0.8.3-rc1 or any patched release version beyond that. If you are running a stable release version, check the official LibreChat repository or vendor advisories for the corresponding patched release. Test the upgrade in a non-production environment first to ensure compatibility with your deployment. Note that version 0.8.3-rc1 is a release candidate; confirm against the official vendor advisory for the recommended production-grade patch version.

Detection guidance

Monitor API request logs for PUT requests to /api/keys containing userId parameters in the request body that differ from the authenticated user's own ID. Check for suspicious changes to API key configurations by reviewing audit logs or key modification timestamps. Look for requests from users attempting to modify keys belonging to other users. Implement alerts on failed API key validation attempts, which may indicate an attacker testing replaced credentials. If available, enable verbose logging of API key assignments and scope changes.

Why prioritize this

This vulnerability deserves immediate attention because it requires only user-level authentication to execute, affects all users in a multi-user LibreChat deployment, and enables both confidentiality (via credential theft) and availability (via service denial) attacks. The high CVSS score and the direct control over API credentials create a significant risk posture. Multi-tenant deployments are at particular risk.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH) is driven by: low attack complexity (L), requiring only low privilege (L) user authentication (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact from the vulnerability itself (C:N), but high integrity impact (I:H) due to the ability to modify any user's API keys, and low availability impact (A:L) from the potential for service disruption. The combination of easy exploitation post-authentication and significant integrity compromise justifies the HIGH severity rating.

Frequently asked questions

Can this vulnerability be exploited without a LibreChat account?

No. The attacker must be an authenticated user of the LibreChat instance. However, this does not require administrative privileges—any regular user account is sufficient to launch the attack.

What happens if an attacker injects an invalid API key for another user?

The victim's conversations would fail to process through the target AI provider, resulting in service denial. Depending on how LibreChat handles failures, users may see errors or be unable to use certain features until the correct key is restored.

Does this vulnerability expose actual API key values to other users?

The vulnerability allows an attacker to overwrite keys, not necessarily to read existing keys directly. However, an attacker could replace a victim's key and then monitor the victim's API usage patterns through their own infrastructure, effectively intercepting or observing conversation flow.

Is upgrading sufficient, or do I need to audit past activity?

Upgrading is essential to stop new attacks, but you should also review API key change logs and configurations to identify whether any unauthorized modifications occurred. If found, regenerate affected API keys with the providers and notify users.

This analysis is based on the published CVE description and CVSS vector provided. Version numbers, patch details, and affected product information are as stated in the source data; verify patch applicability against official LibreChat vendor advisories before deployment. This document is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessments and testing prior to remediation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).