Cyber Resilience

CVE-2026-31945

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0025 16.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31945 is a high-severity SSRF (CWE-918) vulnerability in Librechat Librechat. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31945 is a server-side request forgery (SSRF) vulnerability affecting LibreChat, an open-source ChatGPT clone with additional features, specifically in versions 0.8.2-rc2 through 0.8.2. The issue arises when using agent actions or MCP, where a prior SSRF fix (GHSA-rgjq-4q58-m3q8) implemented only hostname validation without checking if DNS resolution yields a private IP address. This allows attackers to bypass protections and access internal resources, such as an internal RAG API or cloud instance metadata endpoints. The vulnerability is rated 7.7 on CVSS 3.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-918.

An attacker with low privileges, such as an authenticated user, can exploit this over the network with low complexity and no user interaction required. By crafting requests through agent actions or MCP, they can force the server to make unauthorized connections to internal services, achieving high confidentiality impact across a changed scope. Potential outcomes include exfiltration of sensitive data from internal APIs or metadata services on cloud instances.

The GitHub security advisory (GHSA-f92m-jpv7-55p2) confirms the patch in version 0.8.3-rc1, which addresses the incomplete SSRF mitigation by adding private IP validation post-DNS resolution. Security practitioners should upgrade to 0.8.3-rc1 or later and review configurations for agent actions and MCP usage.

LibreChat's nature as an AI chatbot platform highlights relevance to AI/ML deployments, where SSRF could expose retrieval-augmented generation (RAG) components or related internal services. No public evidence of real-world exploitation is noted as of the CVE publication on 2026-03-27.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LibreChat is a ChatGPT clone with additional features. Versions 0.8.2-rc2 through 0.8.2 are vulnerable to a server-side request forgery (SSRF) attack when using agent actions or MCP. Although a previous SSRF vulnerability (https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8) was reported and patched, the fix only…

more

introduced hostname validation. It does not verify whether DNS resolution results in a private IP address. As a result, an attacker can still bypass the protection and gain access to internal resources, such as an internal RAG API or cloud instance metadata endpoints. Version 0.8.3-rc1 contains a patch.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: chatgpt, librechat, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing LibreChat directly enables T1190 exploitation; bypass to cloud metadata endpoints enables T1522 discovery and T1552.005 credential theft from instance metadata.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31943Same product: Librechat Librechat
CVE-2025-69222Same product: Librechat Librechat
CVE-2025-69220Same product: Librechat Librechat
CVE-2025-41258Same product: Librechat Librechat
CVE-2024-10361Same product: Librechat Librechat
CVE-2026-22252Same product: Librechat Librechat
CVE-2026-4276Same product: Librechat Librechat
CVE-2026-31944Same product: Librechat Librechat
CVE-2026-33265Same product: Librechat Librechat
CVE-2026-32625Same product: Librechat Librechat

Affected Assets

librechat
librechat
0.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SSRF flaw by applying the patch that adds private IP validation after DNS resolution in LibreChat versions affected by CVE-2026-31945.

prevent

Validates information inputs to agent actions and MCP features to block malicious hostnames or URLs that resolve to private internal resources.

prevent

Monitors and controls outbound communications at system boundaries to prevent the LibreChat server from accessing unauthorized internal services like RAG APIs or cloud metadata endpoints.

References