CVE-2026-54033: SSRF — HIGH

CISO Take

LibreChat prior to 0.8.4-rc1 allows any authenticated user to redirect the application's outbound HTTP requests to arbitrary network addresses — including internal RFC-1918 hosts and cloud metadata endpoints — by supplying a malicious baseURL in the custom OpenAI-compatible endpoint configuration, with zero server-side validation. The CVSS 7.7 score carries a Changed scope indicator, meaning exploitation breaks out of the LibreChat trust boundary and can reach internal services the application host has network access to, such as AWS IMDSv1 metadata endpoints that yield temporary IAM credentials. The exploitation bar is extremely low: a valid authenticated account with no elevated privileges is the only prerequisite, making any org member or trial user a viable threat actor. Upgrade to LibreChat 0.8.4-rc1 immediately; as an interim control, restrict custom API endpoint configuration to administrators only and enforce egress filtering on RFC-1918 and link-local ranges from the LibreChat host.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk for organizations running LibreChat in shared, multi-tenant, or cloud-hosted configurations. The CVSS Changed scope is the critical factor — this is not a self-contained issue but a network pivot point into internal infrastructure. Exploitation requires no technical AI/ML expertise, only a user account. Cloud-hosted deployments are particularly exposed: AWS IMDSv1, GCP metadata service, and Azure IMDS are reachable from most container or VM deployments and can yield temporary credentials enabling lateral movement well beyond LibreChat itself. On-premises deployments face enumeration and unauthorized access to internal model APIs, vector databases, and orchestration services.

How does the attack unfold?

Initial Access

Attacker authenticates to LibreChat with any valid low-privilege user account — no elevated permissions, special role, or prior compromise required.

AML.T0012

Configuration Manipulation

Attacker sets the baseURL of a custom OpenAI-compatible API endpoint to an internal network address (e.g., cloud metadata service, internal microservice) via the LibreChat API configuration UI.

AML.T0081

SSRF Exploitation

LibreChat constructs outbound HTTP requests to the attacker-supplied baseURL without any IP address, URL scheme, or DNS validation, causing requests to reach unintended internal network targets.

AML.T0049

Internal Data Exfiltration

Responses from internal services — including IAM credentials from cloud metadata endpoints, internal API data, or network service banners — are returned through the LibreChat API response channel to the attacker.

AML.T0025

Initial Access

Attacker authenticates to LibreChat with any valid low-privilege user account — no elevated permissions, special role, or prior compromise required.

AML.T0012

Configuration Manipulation

Attacker sets the baseURL of a custom OpenAI-compatible API endpoint to an internal network address (e.g., cloud metadata service, internal microservice) via the LibreChat API configuration UI.

AML.T0081

SSRF Exploitation

LibreChat constructs outbound HTTP requests to the attacker-supplied baseURL without any IP address, URL scheme, or DNS validation, causing requests to reach unintended internal network targets.

AML.T0049

Internal Data Exfiltration

Responses from internal services — including IAM credentials from cloud metadata endpoints, internal API data, or network service banners — are returned through the LibreChat API response channel to the attacker.

AML.T0025

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

What should I do?

6 steps

Patch: Upgrade LibreChat to 0.8.4-rc1 which introduces SSRF validation on user-supplied baseURL values.
Access control: Until patched, restrict custom API endpoint configuration to admin-only roles in LibreChat settings (EndpointConfig permissions).
Network egress: Deploy firewall rules blocking outbound HTTP/HTTPS from the LibreChat host process to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16).
IMDSv2 enforcement: If running on AWS EC2, enforce IMDSv2 with hop limit of 1 to neutralize metadata endpoint access from containerized LibreChat.
Detection: Alert on outbound HTTP connections from the LibreChat process to private IP ranges; audit existing custom endpoint configurations for non-external baseURL values.
Retroactive audit: Review all stored custom API endpoint configurations and revoke access from non-admin users pending patch deployment.

How is it classified?

Data Extraction Data Leakage API Agent AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0085 - Data from AI Services

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.2 - AI risk assessment 8.4 - AI system operation and monitoring

NIST AI RMF

MEASURE 2.2 - AI risk measurement

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-54033?

LibreChat prior to 0.8.4-rc1 allows any authenticated user to redirect the application's outbound HTTP requests to arbitrary network addresses — including internal RFC-1918 hosts and cloud metadata endpoints — by supplying a malicious baseURL in the custom OpenAI-compatible endpoint configuration, with zero server-side validation. The CVSS 7.7 score carries a Changed scope indicator, meaning exploitation breaks out of the LibreChat trust boundary and can reach internal services the application host has network access to, such as AWS IMDSv1 metadata endpoints that yield temporary IAM credentials. The exploitation bar is extremely low: a valid authenticated account with no elevated privileges is the only prerequisite, making any org member or trial user a viable threat actor. Upgrade to LibreChat 0.8.4-rc1 immediately; as an interim control, restrict custom API endpoint configuration to administrators only and enforce egress filtering on RFC-1918 and link-local ranges from the LibreChat host.

Is CVE-2026-54033 actively exploited?

No confirmed active exploitation of CVE-2026-54033 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54033?

1. Patch: Upgrade LibreChat to 0.8.4-rc1 which introduces SSRF validation on user-supplied baseURL values. 2. Access control: Until patched, restrict custom API endpoint configuration to admin-only roles in LibreChat settings (EndpointConfig permissions). 3. Network egress: Deploy firewall rules blocking outbound HTTP/HTTPS from the LibreChat host process to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16). 4. IMDSv2 enforcement: If running on AWS EC2, enforce IMDSv2 with hop limit of 1 to neutralize metadata endpoint access from containerized LibreChat. 5. Detection: Alert on outbound HTTP connections from the LibreChat process to private IP ranges; audit existing custom endpoint configurations for non-external baseURL values. 6. Retroactive audit: Review all stored custom API endpoint configurations and revoke access from non-admin users pending patch deployment.

What systems are affected by CVE-2026-54033?

This vulnerability affects the following AI/ML architecture patterns: Multi-provider LLM API frontends, Cloud-hosted AI deployments, Internal AI service meshes, Enterprise AI assistant platforms, LLM API gateways.

What is the CVSS score for CVE-2026-54033?

CVE-2026-54033 has a CVSS v3.1 base score of 7.7 (HIGH).

What is the AI security impact?

Affected AI Architectures

Multi-provider LLM API frontendsCloud-hosted AI deploymentsInternal AI service meshesEnterprise AI assistant platformsLLM API gateways

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.2, 8.4

NIST AI RMF: MEASURE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests without any SSRF validation — no private IP check, no scheme restriction, no DNS pinning. An authenticated user can set baseURL to internal network addresses. This vulnerability is fixed in 0.8.4-rc1.

Exploitation Scenario

An attacker with a standard LibreChat user account navigates to the API configuration panel and creates a new custom endpoint with baseURL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDSv1). On the next API call, LibreChat constructs an HTTP request to this address with no validation; the EC2 metadata service responds with a temporary IAM role credential containing AccessKeyId, SecretAccessKey, and Token. The attacker extracts these from the LibreChat API response, then uses the harvested credentials externally to enumerate S3 buckets containing model artifacts and training data, or pivots to other AWS services. In non-cloud deployments, the attacker probes known internal address ranges to locate unprotected MLflow servers, vector database admin APIs, or model registry endpoints, extracting proprietary models or user data.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.