{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31945", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.656Z", "datePublished": "2026-03-27T19:23:53.395Z", "dateUpdated": "2026-03-27T19:24:30.707Z"}, "containers": {"cna": {"title": "LibreChat Server-Side Request Forgery using DNS resolution", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2"}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"version": ">= 0.8.2-rc2, < 0.8.3-rc1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T19:24:30.707Z"}, "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch."}], "source": {"advisory": "GHSA-f92m-jpv7-55p2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch."}], "id": "CVE-2026-31945", "lastModified": "2026-03-27T20:16:30.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T20:16:30.060", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T20:21:48.179693+00:00", "value": {"mitigation_remediation": ["Upgrade LibreChat to version 0.8.3\u2011rc1 or later.", "If upgrading is not immediately possible, disable or restrict the use of agent actions or MCP that trigger outbound requests.", "Implement monitoring for unexpected outbound connections from the LibreChat server."], "summary": {"action": "Patch Immediately", "impact": "Server\u2011Side Request Forgery exposing internal resources"}, "threat_synthesis": {"affected_systems": "The affected product is LibreChat released by the vendor 'danny\u2011avila'. Affected versions are 0.8.2\u2011rc2 through 0.8.2 inclusive. A fix that restores proper DNS validation and prevents access to private IPs is available in version 0.8.3\u2011rc1. No other product or vendor information is provided.", "description_and_impact": "LibreChat versions 0.8.2\u2011rc2 through 0.8.2 contain a Server\u2011Side Request Forgery weakness (CWE\u2011918) that allows an attacker to supply a URL via agent actions or MCP and have the server resolve it without checking for private addresses. The result is that LibreChat can reach internal endpoints such as a private RAG API or cloud instance metadata services, potentially exposing sensitive data or enabling further attacks. The CVSS base score of 7.7 reflects the ability to obtain data without authentication and to impact confidentiality and integrity.", "risk_and_exploitability": "The likely attack vector is remote network access where an attacker can send a crafted request to LibreChat through its chat interface or API. Because the service lacks private\u2011IP filtering, an attacker can reach internal resources, securing sensitive data or credentials. The CVSS score of 7.7 indicates a high severity, and the lack of an EPSS score for this vulnerability does not diminish its potential impact. Since the vulnerability is not listed in CISA\u2019s KEV catalog, no known exploits are publicly documented, but the presence of the flaw and the high score suggest that monitoring and rapid mitigation are prudent."}}}}, "created": "2026-03-27T20:27:34.317621+00:00", "updated": "2026-03-27T20:27:34.317648+00:00", "vendors": []}