Authentication Bypass in LibreChat by Danny Avila
CVE-2026-54040

5.9MEDIUM

Key Information:

Vendor: Danny-avila
Status: Librechat
Vendor: CVE Published:; 25 June 2026

🔔 Create Danny-avila Vulnerability Alert

What is CVE-2026-54040?

LibreChat prior to version 0.8.4-rc1 contains a significant vulnerability in its 2FA backup code regeneration process. Specifically, the system allows the POST /api/auth/2fa/backup/regenerate endpoint to regenerate all backup codes without the need for a Time-based One-Time Password (TOTP) token or verification of existing backup codes. This flaw means that an attacker with access to a victim's session token can alter the victim's backup codes without detection, potentially allowing them to bypass two-factor authentication altogether or disable it, drastically compromising user account security.

Affected Version(s)

LibreChat < 0.8.4-rc1

References

https://github.com/danny-avila/LibreChat/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 11, 2026

CVE-2026-54040 Data

JSON