CVE-2026-31945

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0004 12.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31945 is a high-severity SSRF (CWE-918) vulnerability in Librechat Librechat. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as APIs and Models; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the SSRF flaw by applying the patch that adds private IP validation after DNS resolution in LibreChat versions affected by CVE-2026-31945.

SI-10 Information Input Validation good match

prevent

Validates information inputs to agent actions and MCP features to block malicious hostnames or URLs that resolve to private internal resources.

SC-7 Boundary Protection good match

prevent

Monitors and controls outbound communications at system boundaries to prevent the LibreChat server from accessing unauthorized internal services like RAG APIs or cloud metadata endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1522 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

T1552.005 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

SSRF in public-facing LibreChat directly enables T1190 exploitation; bypass to cloud metadata endpoints enables T1522 discovery and T1552.005 credential theft from instance metadata.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only…

introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch.

Deeper analysisAI

CVE-2026-31945 is a server-side request forgery (SSRF) vulnerability affecting LibreChat, an open-source ChatGPT clone with additional features, specifically in versions 0.8.2-rc2 through 0.8.2. The issue arises when using agent actions or MCP, where a prior SSRF fix (GHSA-rgjq-4q58-m3q8) implemented only hostname validation without checking if DNS resolution yields a private IP address. This allows attackers to bypass protections and access internal resources, such as an internal RAG API or cloud instance metadata endpoints. The vulnerability is rated 7.7 on CVSS 3.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-918.

An attacker with low privileges, such as an authenticated user, can exploit this over the network with low complexity and no user interaction required. By crafting requests through agent actions or MCP, they can force the server to make unauthorized connections to internal services, achieving high confidentiality impact across a changed scope. Potential outcomes include exfiltration of sensitive data from internal APIs or metadata services on cloud instances.

The GitHub security advisory (GHSA-f92m-jpv7-55p2) confirms the patch in version 0.8.3-rc1, which addresses the incomplete SSRF mitigation by adding private IP validation post-DNS resolution. Security practitioners should upgrade to 0.8.3-rc1 or later and review configurations for agent actions and MCP usage.

LibreChat's nature as an AI chatbot platform highlights relevance to AI/ML deployments, where SSRF could expose retrieval-augmented generation (RAG) components or related internal services. No public evidence of real-world exploitation is noted as of the CVE publication on 2026-03-27.

Details

CWE(s): CWE-918

Affected Products

librechat

0.8.2

AI Security AnalysisAI

AI Category: APIs and Models
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp

CVEs Like This One

CVE-2026-31943Same product: Librechat Librechat

CVE-2025-69222Same product: Librechat Librechat

CVE-2026-22252Same product: Librechat Librechat

CVE-2026-31944Same product: Librechat Librechat

CVE-2025-41258Same product: Librechat Librechat

CVE-2025-69220Same product: Librechat Librechat

CVE-2024-10361Same product: Librechat Librechat

CVE-2026-33265Same product: Librechat Librechat

CVE-2026-26324Shared CWE-918

CVE-2026-27732Shared CWE-918

References

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2
Exploit, Vendor Advisory, Mitigation · security-advisories@github.com
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f92m-jpv7-55p2
Exploit, Vendor Advisory, Mitigation · 134c704f-9b21-4f2e-91b3-4a467353bcc0