CVE-2026-31943
Published: 27 March 2026
Summary
CVE-2026-31943 is a high-severity SSRF (CWE-918) vulnerability in Librechat Librechat. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of user-supplied inputs like hex-normalized IPv4-mapped IPv6 addresses, directly preventing the SSRF bypass in isPrivateIP().
SC-7 monitors and controls boundary communications to block unauthorized outbound requests to internal resources such as AWS metadata, loopback, and RFC1918 ranges.
AC-4 enforces information flow control policies that restrict server-initiated requests to private IP spaces, mitigating SSRF access to internal network resources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vuln in public-facing LibreChat app (T1190) directly enables forced requests to cloud metadata (T1522/T1552.005) and internal private IP ranges (T1046).
NVD Description
LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests…
more
to internal network resources — including cloud metadata services (e.g., AWS `169.254.169.254`), loopback, and RFC1918 ranges. Version 0.8.3 fixes the issue.
Deeper analysisAI
CVE-2026-31943 is a server-side request forgery (SSRF) vulnerability in LibreChat, an open-source ChatGPT clone with additional features. The issue affects versions prior to 0.8.3 and stems from a flaw in the `isPrivateIP()` function located in `packages/api/src/auth/domain.ts`. This function fails to properly detect IPv4-mapped IPv6 addresses when presented in their hex-normalized form, enabling bypass of SSRF protections that are intended to block requests to private IP ranges.
Any authenticated user can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows the attacker to force the LibreChat server to issue HTTP requests to internal network resources, such as cloud metadata endpoints (e.g., AWS's 169.254.169.254), loopback addresses, and RFC1918 private ranges. The CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) reflects high confidentiality impact due to potential exposure of sensitive internal data, with changed scope amplifying the risk.
The GitHub security advisory (GHSA-w5r7-4f94-vp4c) confirms that upgrading to LibreChat version 0.8.3 resolves the issue by addressing the detection flaw in `isPrivateIP()`. Security practitioners should prioritize patching affected instances, review access controls for authenticated users, and monitor for anomalous outbound requests to private IPs as interim mitigations.
Details
- CWE(s)