Critical Vulnerability CVE-2026-32625 Discovered in LibreChat
Severity: High (Score: 78.0)
Sources: www.valtersit.com, Feedly, euvd.enisa.europa.eu, www.thehackerwire.com
Published: · Updated:
Keywords: server, cve-2026-32625, model, context, protocol, environment, variable
Severity indicators: flaw, pla, ot, rat, CVE:CVE-2026-32625, CVE:CVE-2026-32625, CVE:CVE-2026-32625
Summary
CVE-2026-32625 is a critical information disclosure vulnerability affecting LibreChat versions up to 0.8.3. The flaw allows authenticated users to exploit the Model Context Protocol (MCP) server integration by crafting malicious URLs that resolve environment variable placeholders. This can lead to the exfiltration of sensitive secrets such as CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI to an attacker-controlled domain. The vulnerability has a CVSS score of 9.6, indicating a high severity level. A patch has been released in version 0.8.4-rc1, and users are advised to upgrade immediately to mitigate risks. Currently, there are no known public proof-of-concept exploits available. The vulnerability poses significant risks to installations running vulnerable versions of LibreChat. Key Points: • CVE-2026-32625 allows authenticated users to exfiltrate sensitive environment variables. • The vulnerability affects LibreChat versions up to and including 0.8.3, with a CVSS score of 9.6. • Users are urged to upgrade to version 0.8.4-rc1 or later to mitigate the risk.
Detailed Analysis
**Impact** LibreChat users running versions up to and including 0.8.3 are affected globally, with no geographic or sector-specific limitations noted. The vulnerability allows authenticated users to exfiltrate sensitive environment variables, including cryptographic keys (CREDS_KEY, CREDS_IV, JWT_SECRET) and database credentials (MONGO_URI), risking full system compromise. This exposure can lead to unauthorized access to AI provider API keys and backend databases, impacting confidentiality and operational integrity. **Technical Details** The vulnerability (CVE-2026-32625) resides in the Model Context Protocol (MCP) server integration, where Zod schema validation resolves `${VAR}` environment variable placeholders in user-supplied MCP server URLs against the server’s process.env. An authenticated attacker can craft a malicious MCP URL referencing sensitive environment variables, causing LibreChat to send these secrets to an attacker-controlled domain. The flaw affects librechat npm package versions ≤ 0.8.3 and is patched in 0.8.4-rc1. The attack occurs during the validation stage of the kill chain, enabling credential exfiltration without administrative privileges. No public proof-of-concept exploits or IOCs are provided. **Recommended Response** Upgrade all LibreChat installations to version 0.8.4-rc1 or later immediately to apply the patch that restricts environment variable substitution via a whitelist. Deploy monitoring to detect outbound requests to unknown or suspicious domains originating from MCP server URL validations. Harden configurations by limiting authenticated user permissions where possible and audit environment variable usage in MCP URLs. No specific IOCs are available; therefore, focus on network traffic analysis and version compliance checks.
Source articles (4)
- CVE-2026-32625 - Exploits & Severity — Feedly · 2026-06-03
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders agai… - CVE-2026-32625 Valters IT Hub / 2h The flaw resides in the Model Context Protocol (MCP) server integration, where the application resolves environment variable placeholders against the server's during Zod schema validation of user-supplied MCP server URLs. An authenticated attacker can craft a malicious MCP server configuration with a URL containing environment variable references (e.g., ). When the server validates this URL, it substitutes the placeholder with the actual environment variable va — www.valtersit.com · 2026-06-03
CVE-2026-32625 is a critical information disclosure vulnerability in LibreChat, an open-source ChatGPT clone supporting multiple AI providers. The flaw resides in the Model Context Protocol (MCP) serv… - LibreChat Critical Credential Disclosure via MCP Server URL TheHackerWire / 10h Specifically, in versions up to and including 0.8.3, the server resolves placeholders against its own during Zod schema validation of user-supplied MCP server URLs. This means that when an authenticated user configures an MCP server, they can embed references to environment variables directly into the URL field. If the URL points to an attacker-controlled domain and contains placeholders like or, the LibreChat server — www.thehackerwire.com · 2026-06-03
- EUVD-2026-34046 EUVD - European Vulnerability Database / 9h EUVD Id : EUVD-2026-34046 Published : 2026-06-02 Updated 2026-06-02 Associated ID : CVE-2026-32625 CVSS Base Score : 9.6 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Description LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema v — euvd.enisa.europa.eu · 2026-06-03
Timeline
- 2026-06-02 — CVE-2026-32625 published: The CVE was officially published, detailing a critical vulnerability in LibreChat affecting versions up to 0.8.3.
- 2026-06-03 — Vulnerability details disclosed: Valters IT Hub reported on the critical information disclosure vulnerability in LibreChat, emphasizing the risks of environment variable exfiltration.
- 2026-06-03 — Patch released for LibreChat: LibreChat released version 0.8.4-rc1 to address the critical vulnerability, urging users to upgrade immediately.
CVEs
Related entities
- Data Breach (Attack Type)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- shodan.io (Domain)
- T1567 - Exfiltration Over Web Service (Mitre Attack)