MEDIUM 6.5

CVE-2026-44653: LibreChat MCP Server Credential Exposure (0.8.3 & Earlier)

LibreChat versions up to 0.8.3 expose sensitive credentials to users with view-only access to MCP (Model Context Protocol) servers. When a user with limited permissions queries the server configuration API, they receive plaintext API keys and OAuth secrets that should remain encrypted and admin-only. This breaks the intended access control model where viewers should never see the credentials needed to authenticate with external AI providers. An attacker with even basic read access can steal these secrets and impersonate the legitimate service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-201
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.key` and `oauth.client_secret`. This allows viewers of a shared MCP server to exfiltrate the underlying provider credentials. Version 0.8..4 contains a patch. Other remediations include: never returning decrypted admin-managed secrets to non-owners; redacting apiKey.key and oauth.client_secret from all API responses consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern; and, if owners need to edit configs without re-entering secrets, preserving secrets server-side and returning placeholders instead of plaintext.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient authorization checks in LibreChat's MCP server configuration endpoints. GET requests to /api/mcp/servers and /api/mcp/servers/:serverName return fully decrypted sensitive fields (apiKey.key and oauth.client_secret) regardless of the requester's permission level. The application fails to implement the principle of least privilege—it should either redact these fields entirely, return boolean indicators of their presence, or store them server-side and return only placeholders. CWE-201 (Exposure of Sensitive Information Through Output) directly applies. The CVSS 3.1 score of 6.5 reflects the confidentiality impact (high) without integrity or availability risk, assuming network-accessible APIs and low privilege requirements to trigger exposure.

Business impact

Credential theft undermines the security boundary between teams and customers sharing LibreChat instances. If your MCP servers integrate with paid AI services, billing accounts, or proprietary APIs, compromised credentials can lead to unauthorized API usage, unexpected costs, and potential service disruption. In multi-tenant or shared environments, a low-privilege user or collaborator can extract credentials for high-value integrations, creating supply-chain risk if those credentials are reused across systems. Incident response and credential rotation become necessary once exposure is discovered.

Affected systems

LibreChat versions 0.8.0 through 0.8.3 are vulnerable. Version 0.8.4 contains the patch. Organizations running self-hosted or cloud-deployed LibreChat instances with MCP server configurations should verify their version immediately. Any LibreChat installation where users have different permission levels and MCP servers are shared is at risk.

Exploitability

Exploitability is straightforward and requires only valid user credentials at the viewer level—no special network position, authentication bypass, or user interaction needed. An authenticated user with VIEW permission can make simple HTTP GET requests to retrieve plaintext secrets. No CVE entry in CISA's Known Exploited Vulnerabilities (KEV) catalog indicates active in-the-wild exploitation as of the last update, but the low technical barrier means active exploitation should not be ruled out in environments where credential theft provides financial or operational gain.

Remediation

Upgrade LibreChat to version 0.8.4 or later. If immediate upgrade is not feasible, restrict API access to /api/mcp/servers endpoints using network controls or reverse proxy rules to limit access to administrative users only. Review MCP server configurations for any credentials that may have been viewed or accessed by non-admin users, and rotate those credentials (API keys, OAuth secrets) in the external services immediately. Audit logs (if available) to identify which users queried the endpoints and when.

Patch guidance

Apply LibreChat 0.8.4 as soon as practical. Verify the patch is installed by checking the application version in the UI or via package manager. After patching, test that VIEW-level users can no longer retrieve plaintext secrets from the server configuration endpoints—use a test user account and confirm that sensitive fields are either absent or redacted. Rotate all credentials previously exposed through MCP server queries.

Detection guidance

Monitor HTTP request logs for repeated GET requests to /api/mcp/servers or /api/mcp/servers/:serverName originating from non-administrative users. Flag any instances where users with limited permissions access these endpoints. Review MCP server configuration responses in application logs or WAF/proxy logs to identify if plaintext secrets have been returned. If LibreChat provides audit logging, search for configuration read events by low-privilege users. Network-based detection can watch for exfiltration of credentials from the application (e.g., API keys appearing in outbound requests that match patterns in server configs).

Why prioritize this

MEDIUM severity (6.5 CVSS) applies because exploitation requires authentication and network access, limiting the attack surface. However, the high confidentiality impact and low exploitation complexity warrant prompt patching. Prioritize based on your specific risk: if LibreChat MCP servers contain credentials for high-value or sensitive services (billing APIs, proprietary data platforms), treat as high priority. If LibreChat is deployed in isolated environments with strong access controls or contains only low-sensitivity credentials, routine patching windows are acceptable.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: (1) Network-accessible endpoints (AV:N), (2) Low attack complexity with no special conditions (AC:L), (3) Low privilege required—any authenticated user can exploit (PR:L), (4) No user interaction necessary (UI:N), (5) Confidentiality impact rated High due to plaintext credential exposure, (6) No impact on Integrity or Availability. The score would be higher if exploitation were unauthenticated or if the vulnerability enabled further system compromise; it is not lower because credential theft in shared environments carries meaningful business risk.

Frequently asked questions

Do we need to upgrade if we don't use MCP servers?

No. If your LibreChat instance does not configure any MCP server integrations, the vulnerable endpoints are not actively used, but upgrading to 0.8.4 is still recommended for general security posture and to protect against future misconfigurations.

If we've patched to 0.8.4, do we still need to rotate credentials?

Yes. The patch prevents future exposure, but any credentials returned in plaintext responses before patching should be considered compromised. Rotate all API keys and OAuth secrets used by MCP servers to ensure no stale credentials remain valid for attackers to use.

Can we detect if our credentials were already stolen before patching?

It is difficult without detailed audit logs. Review request logs for GET calls to the vulnerable endpoints and check if any external API calls using those credentials originated from unexpected sources or times. Consider implementing brief monitoring after rotation to detect reuse of old credentials.

Does this vulnerability affect LibreChat's main chat functionality?

No. This vulnerability is specific to MCP server configuration retrieval. Core chat, message storage, and other features are unaffected. However, if MCP integrations are part of your chat workflow, the compromised provider credentials could degrade or redirect service quality.

This analysis is based on vulnerability data current as of the published and modified dates provided. Version numbers, patch availability, and CVSS scores reflect the source data and should be verified against official LibreChat release notes and security advisories before deploying to production. Organizations should conduct their own risk assessment based on their specific LibreChat deployment, user access model, and MCP server configurations. This advisory does not constitute legal or professional security advice; consult with your security team or vendor for tailored remediation strategies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).