OAuth Implementation Flaw in LibreChat Affects AI Communication
CVE-2026-54030

8HIGH

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 25 June 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2026-54030?

LibreChat's implementation of the OAuth protocol allowed for a significant security oversight where the resource parameter from OAuth Protected Resource metadata was not properly validated against the configured MCP server URL. This gap enabled malicious servers to potentially intercept and steal access tokens intended for legitimate servers, compromising user data and application integrity. The identified issue has been addressed in version 0.8.5, reinforcing security measures to prevent unauthorized access.

Affected Version(s)

LibreChat < 0.8.5

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-54030 Data

JSON