CVE-2026-32625

Received
Published: 02 Jun 2026, 22:35
Last modified:03 Jun 2026, 14:07

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.6 CRITICAL
v3.1 (cve.org)
EPSS Score
0.03% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

02 Jun 2026, 22:35
Published
Vulnerability first disclosed
03 Jun 2026, 14:07
Last Modified
Vulnerability information updated

Description

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can create a malicious MCP server configuration with a URL pointing to an attacker-controlled domain containing environment variable references, causing the LibreChat server to connect to the attacker's server and transmit critical secrets such as CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI in the request URL. This enables full compromise of the installation's cryptographic materials and database credentials without requiring administrative privileges. This is patched in version 0.8.4-rc1.

CVSS Metrics

  • v3.1CRITICALScore: 9.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.03% Percentile: 9%

Techniques & Countermeasures

  • CWE-200Exposure of Sensitive Information to an Unauthorized Actor

    The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

  • danny-avilalibrechat

    < 0.8.4-rc1

References (1)