Cyber Resilience

CVE-2026-31943

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0021 11.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31943 is a high-severity SSRF (CWE-918) vulnerability in Librechat Librechat. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-31943 is a server-side request forgery (SSRF) vulnerability in LibreChat, an open-source ChatGPT clone with additional features. The issue affects versions prior to 0.8.3 and stems from a flaw in the `isPrivateIP()` function located in `packages/api/src/auth/domain.ts`. This function fails to properly detect IPv4-mapped IPv6 addresses when presented in their hex-normalized form, enabling bypass of SSRF protections that are intended to block requests to private IP ranges.

Any authenticated user can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows the attacker to force the LibreChat server to issue HTTP requests to internal network resources, such as cloud metadata endpoints (e.g., AWS's 169.254.169.254), loopback addresses, and RFC1918 private ranges. The CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) reflects high confidentiality impact due to potential exposure of sensitive internal data, with changed scope amplifying the risk.

The GitHub security advisory (GHSA-w5r7-4f94-vp4c) confirms that upgrading to LibreChat version 0.8.3 resolves the issue by addressing the detection flaw in `isPrivateIP()`. Security practitioners should prioritize patching affected instances, review access controls for authenticated users, and monitor for anomalous outbound requests to private IPs as interim mitigations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.3, `isPrivateIP()` in `packages/api/src/auth/domain.ts` fails to detect IPv4-mapped IPv6 addresses in their hex-normalized form, allowing any authenticated user to bypass SSRF protection and make the server issue HTTP requests…

more

to internal network resources — including cloud metadata services (e.g., AWS `169.254.169.254`), loopback, and RFC1918 ranges. Version 0.8.3 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: chatgpt, librechat

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF vuln in public-facing LibreChat app (T1190) directly enables forced requests to cloud metadata (T1522/T1552.005) and internal private IP ranges (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31945Same product: Librechat Librechat
CVE-2025-69222Same product: Librechat Librechat
CVE-2025-69220Same product: Librechat Librechat
CVE-2025-41258Same product: Librechat Librechat
CVE-2026-22252Same product: Librechat Librechat
CVE-2024-10361Same product: Librechat Librechat
CVE-2026-4276Same product: Librechat Librechat
CVE-2026-31944Same product: Librechat Librechat
CVE-2026-31942Same product: Librechat Librechat
CVE-2026-33265Same product: Librechat Librechat

Affected Assets

librechat
librechat
0.8.3 · ≤ 0.8.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of user-supplied inputs like hex-normalized IPv4-mapped IPv6 addresses, directly preventing the SSRF bypass in isPrivateIP().

prevent

SC-7 monitors and controls boundary communications to block unauthorized outbound requests to internal resources such as AWS metadata, loopback, and RFC1918 ranges.

prevent

AC-4 enforces information flow control policies that restrict server-initiated requests to private IP spaces, mitigating SSRF access to internal network resources.

References