Insecure Direct Object Reference in LibreChat API Key Management
CVE-2026-31942

7.1HIGH

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 2 June 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2026-31942?

In versions of LibreChat up to and including 0.7.6, an Insecure Direct Object Reference vulnerability exists within the API keys management endpoint. The flaw enables any authenticated user to manipulate the userId parameter in the request body, allowing them to overwrite another user's API keys. This could lead to unauthorized access and potential service disruptions, as the attacker might configure their own API keys for services like OpenAI, Anthropic, or Azure, effectively rerouting conversations or blocking access. This vulnerability has been addressed in version 0.8.3-rc1.

Affected Version(s)

LibreChat < 0.8.3-rc1

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Mar 10, 2026

CVE-2026-31942 Data

JSON