Server-Side Request Forgery in LibreChat by Danny Avila
CVE-2026-31943

8.5HIGH

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 27 March 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2026-31943?

LibreChat, a ChatGPT clone designed with advanced features, contains a vulnerability prior to version 0.8.3 where the isPrivateIP() function does not properly handle IPv4-mapped IPv6 addresses in their hex-normalized format. This flaw permits authenticated users to bypass server-side request forgery (SSRF) protections, enabling them to make unauthorized HTTP requests to critical internal network resources, such as cloud metadata services and private IP address ranges. The vulnerability is addressed in version 0.8.3.

Affected Version(s)

LibreChat < 0.8.3

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 10, 2026

CVE-2026-31943 Data

JSON