LibreChat: IDOR enables cross-user API key hijacking — HIGH (CVE-2026-31942)

CISO Take

LibreChat versions up to 0.7.6 contain an Insecure Direct Object Reference flaw in the API key management endpoint that allows any authenticated user to overwrite another user's AI provider credentials (OpenAI, Anthropic, Azure) by injecting a target userId into the PUT /api/keys request body — a consequence of JavaScript object spread ordering that sets the user ID before spreading untrusted input. In multi-tenant or enterprise self-hosted deployments, this means a low-privilege attacker can silently redirect a victim's LLM conversations through attacker-controlled API keys, enabling passive monitoring of all prompt-response pairs via the attacker's provider account logs. The exploit requires no specialized skill — only a valid account and a modified HTTP request — making it realistic in any shared LibreChat environment, particularly organizations using it for sensitive internal workflows such as legal, HR, or security operations. Upgrade to version 0.8.3-rc1 immediately; if patching is delayed, block the PUT /api/keys endpoint at the reverse proxy for cross-user requests and audit API key change logs for userId values that differ from the authenticated session principal.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk for any multi-user LibreChat deployment. CVSS 7.1 reflects low attack complexity and minimal privilege requirements combined with high integrity impact. No public exploit code or CISA KEV listing as of publication, but the vulnerability is trivially reproducible using standard HTTP interception tools — no AI or security expertise required. Organizations running shared or enterprise LibreChat instances face real credential compromise risk. The confidentiality of LLM API interactions is directly threatened because attacker-substituted keys grant the attacker visibility into all victim conversation traffic at the provider layer.

Attack Kill Chain

Initial Access

Attacker authenticates to the target LibreChat instance using a valid low-privilege account, either self-registered or compromised.

AML.T0012

Victim Reconnaissance

Attacker identifies a target victim's userId through API responses, profile enumeration, or shared conversation metadata within the LibreChat platform.

AML.T0087

Exploitation

Attacker sends a crafted PUT /api/keys request injecting the victim's userId in the request body, exploiting the object spread ordering flaw to overwrite the victim's AI provider API keys with attacker-controlled credentials.

AML.T0049

Impact

All subsequent LLM API calls by the victim route through the attacker's API keys, granting the attacker full visibility into victim conversation content via provider logs, or denying the victim service entirely via invalid key substitution.

AML.T0040

Initial Access

Attacker authenticates to the target LibreChat instance using a valid low-privilege account, either self-registered or compromised.

AML.T0012

Victim Reconnaissance

Attacker identifies a target victim's userId through API responses, profile enumeration, or shared conversation metadata within the LibreChat platform.

AML.T0087

Exploitation

Attacker sends a crafted PUT /api/keys request injecting the victim's userId in the request body, exploiting the object spread ordering flaw to overwrite the victim's AI provider API keys with attacker-controlled credentials.

AML.T0049

Impact

All subsequent LLM API calls by the victim route through the attacker's API keys, granting the attacker full visibility into victim conversation content via provider logs, or denying the victim service entirely via invalid key substitution.

AML.T0040

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C None

I High

A Low

What should I do?

5 steps

PATCH

Upgrade LibreChat to version 0.8.3-rc1 or later — this is the only complete fix.
WORKAROUND (if patching is delayed): At the reverse proxy or WAF layer, enforce that the userId in PUT /api/keys request bodies matches the authenticated session user ID; reject or strip divergent values.
DETECT

Audit application access logs for PUT /api/keys requests where the body userId field differs from the session-authenticated user; any such request represents a likely exploitation attempt.
INVESTIGATE

Review API key change history across all users for unauthorized modifications, particularly changes made shortly after an unrecognized login.
ROTATE

If compromise is suspected, immediately rotate all AI provider API keys (OpenAI, Anthropic, Azure, etc.) associated with potentially affected users and revoke any attacker-substituted keys via the respective provider dashboards.

Classification

Auth Bypass Data Extraction API Framework AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0091.000 - Application Access Token AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - Access control for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain and improve AI risk management

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-31942?

LibreChat versions up to 0.7.6 contain an Insecure Direct Object Reference flaw in the API key management endpoint that allows any authenticated user to overwrite another user's AI provider credentials (OpenAI, Anthropic, Azure) by injecting a target userId into the PUT /api/keys request body — a consequence of JavaScript object spread ordering that sets the user ID before spreading untrusted input. In multi-tenant or enterprise self-hosted deployments, this means a low-privilege attacker can silently redirect a victim's LLM conversations through attacker-controlled API keys, enabling passive monitoring of all prompt-response pairs via the attacker's provider account logs. The exploit requires no specialized skill — only a valid account and a modified HTTP request — making it realistic in any shared LibreChat environment, particularly organizations using it for sensitive internal workflows such as legal, HR, or security operations. Upgrade to version 0.8.3-rc1 immediately; if patching is delayed, block the PUT /api/keys endpoint at the reverse proxy for cross-user requests and audit API key change logs for userId values that differ from the authenticated session principal.

Is CVE-2026-31942 actively exploited?

No confirmed active exploitation of CVE-2026-31942 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-31942?

1. PATCH: Upgrade LibreChat to version 0.8.3-rc1 or later — this is the only complete fix. 2. WORKAROUND (if patching is delayed): At the reverse proxy or WAF layer, enforce that the userId in PUT /api/keys request bodies matches the authenticated session user ID; reject or strip divergent values. 3. DETECT: Audit application access logs for PUT /api/keys requests where the body userId field differs from the session-authenticated user; any such request represents a likely exploitation attempt. 4. INVESTIGATE: Review API key change history across all users for unauthorized modifications, particularly changes made shortly after an unrecognized login. 5. ROTATE: If compromise is suspected, immediately rotate all AI provider API keys (OpenAI, Anthropic, Azure, etc.) associated with potentially affected users and revoke any attacker-substituted keys via the respective provider dashboards.

What systems are affected by CVE-2026-31942?

This vulnerability affects the following AI/ML architecture patterns: multi-tenant LLM chat platforms, self-hosted AI assistant deployments, enterprise AI gateway and API broker deployments, multi-provider AI API integrations.

What is the CVSS score for CVE-2026-31942?

CVE-2026-31942 has a CVSS v3.1 base score of 7.1 (HIGH).

AI Security Impact

Affected AI Architectures

multi-tenant LLM chat platformsself-hosted AI assistant deploymentsenterprise AI gateway and API broker deploymentsmulti-provider AI API integrations

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0091.000 Application Access Token

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02:2025

Technical Details

Original Advisory

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys management endpoint (PUT /api/keys). Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, any authenticated user can inject a userId parameter in the request body to overwrite any other user's API keys (e.g., OpenAI, Anthropic, Azure). This allows an attacker to replace a victim's API key configuration, potentially routing the victim's conversations through attacker-controlled keys or denying service by providing invalid keys. This is patched in version 0.8.3-rc1.

Exploitation Scenario

An attacker registers a free or compromised low-privilege account on a shared enterprise LibreChat instance. Using a proxy such as Burp Suite, they intercept the PUT /api/keys request made from their own session, observing the JSON body structure including their own userId. They then enumerate or infer a target victim's userId — potentially via API responses, profile pages, or shared conversation references — and craft a modified PUT /api/keys request substituting the victim's userId while providing their own attacker-controlled OpenAI or Anthropic API key. Because LibreChat spreads the authenticated user ID before applying the request body, the attacker-supplied userId overwrites it. From this point, every LLM call the victim makes in LibreChat is billed to and logged under the attacker's API key account, giving the attacker full visibility into victim conversation content through the provider's usage dashboard or API logs — all without ever touching the victim's LibreChat session.