0.8.4
CVE-2026-31943 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in LibreChat, a ChatGPT clone. This flaw allows authenticated users to bypass SSRF protection mechanisms and make the server issue HTTP requests to internal network resources. The vulnerability impacts LibreChat versions prior to 0.8.3, and a patch is available in version 0.8.3.
The SSRF vulnerability in LibreChat allows an authenticated user to craft requests that the server will execute on their behalf. This bypasses intended security controls, enabling access to sensitive internal resources. Attackers could potentially access cloud metadata services (e.g., AWS 169.254.169.254), loopback addresses, and RFC1918 private IP ranges. Successful exploitation could lead to the exposure of sensitive configuration data, API keys, or other credentials stored within the internal network. The blast radius extends to any internal service accessible via HTTP from the LibreChat server.
CVE-2026-31943 was publicly disclosed on 2026-03-27. There is no indication of active exploitation at this time, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the SSRF nature and the potential for accessing sensitive internal resources, it is recommended to prioritize patching.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31943 is to upgrade LibreChat to version 0.8.3 or later, which includes the fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block outbound requests to known sensitive internal IP ranges (e.g., 169.254.169.254, RFC1918 ranges). Additionally, restrict network access to the LibreChat server to only necessary internal resources. Review and tighten authentication controls to limit the number of authenticated users with access to the vulnerable functionality.
Update LibreChat to version 0.8.3 or higher. This version corrects the SSRF vulnerability by correctly validating IPv4-mapped IPv6 addresses. The update will prevent authenticated users from making HTTP requests to internal network resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31943 is a HIGH severity SSRF vulnerability affecting LibreChat versions prior to 0.8.3. It allows authenticated users to bypass SSRF protection and access internal resources.
You are affected if you are running LibreChat version 0.8.3 or earlier. Upgrade to version 0.8.3 to mitigate the vulnerability.
Upgrade LibreChat to version 0.8.3 or later. As a temporary workaround, implement a WAF to block outbound requests to sensitive internal IP ranges.
There is currently no evidence of active exploitation of CVE-2026-31943, but it is recommended to patch promptly due to the potential impact.
Refer to the LibreChat project's official security advisories and release notes for details on CVE-2026-31943 and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.