CVE-2026-44653— LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets
Possible ATT&CK Techniques 3AI
T1005 · Data from Local System T1530 · Data from Cloud Storage T1530.001Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44653
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets
Source: NVD (National Vulnerability Database)
Vulnerability Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.key` and `oauth.client_secret`. This allows viewers of a shared MCP server to exfiltrate the underlying provider credentials. Version 0.8..4 contains a patch. Other remediations include: never returning decrypted admin-managed secrets to non-owners; redacting apiKey.key and oauth.client_secret from all API responses consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern; and, if owners need to edit configs without re-entering secrets, preserving secrets server-side and returning placeholders instead of plaintext.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过发送数据的信息暴露
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| danny-avila | LibreChat | < 0.8.4 | - |
II. Public POCs for CVE-2026-44653
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44653
请登录查看更多情报信息。
Other References for CVE-2026-44653 (1)
Same Patch Batch · danny-avila · 2026-06-02 · 4 CVEs total
| CVE-2026-32625 | 9.6 CRITICAL | LibreChat Exfiltrates Server Secrets via MCP Server URL Injection |
| CVE-2026-31942 | 7.1 HIGH | LibreChat has IDOR in API Keys Management that allows any authenticated user to overwrite |
| CVE-2026-44654 | LibreChat: Shared-agent editor can globally delete owner's file records — breaks owner's o |
IV. Related Vulnerabilities
Same product: LibreChat
- CVE-2026-44654
LibreChat: Shared-agent editor can globally delete owner's f - CVE-2026-32625
LibreChat Exfiltrates Server Secrets via MCP Server URL Inje - CVE-2026-31942
LibreChat has IDOR in API Keys Management that allows any au - CVE-2026-34371
LibreChat Affected by Arbitrary File Write via `execute_code - CVE-2026-31951
LibreChat's MCP Server Header Injection Enables OAuth Token
Same vendor: danny-avila
- CVE-2026-44654
LibreChat: Shared-agent editor can globally delete owner's f - CVE-2026-32625
LibreChat Exfiltrates Server Secrets via MCP Server URL Inje - CVE-2026-31942
LibreChat has IDOR in API Keys Management that allows any au - CVE-2026-34371
LibreChat Affected by Arbitrary File Write via `execute_code - CVE-2026-31951
LibreChat's MCP Server Header Injection Enables OAuth Token
Same weakness: CWE-201
- CVE-2026-35447
NamelessMC: Private or blocking profile pages can be bypasse - CVE-2026-42673
WordPress Activity Logs, User Activity Tracking, Multisite A - CVE-2026-49370
JetBrains YouTrack 安全漏洞 - CVE-2026-10101
Assisted-service: assisted-service: infraenv status leaks re - CVE-2026-45582
n8n-MCP: Workflow telemetry sanitizer could retain partial v
V. Comments for CVE-2026-44653
No comments yet