LibreChat MCP Credential Exfiltration (CVE-2026-44653/44654)
AI relevance: LibreChat is a widely deployed multi-provider LLM chat platform that acts as an MCP client — when users can call MCP servers through the UI, credential leakage in the chat layer becomes a direct path to exfiltrating underlying AI provider API keys.
What happened
- CVE-2026-44653 (CVSS 6.5, CWE-201) — In LibreChat ≤ 0.8.3, users granted only
VIEWaccess to a shared MCP server can callGET /api/mcp/serversandGET /api/mcp/servers/:serverNameand receive the server's full config including plaintextapiKey.keyandoauth.client_secretvalues. - CVE-2026-44654 (Info severity, CWE-863) — A shared-agent editor with limited permissions can delete file records globally across the LibreChat instance, not scoped to the shared agent they were invited to.
- Both were disclosed June 2, 2026. Patched in LibreChat 0.8.4.
- The MCP credential leak (44653) is the higher-signal finding: it turns a read-only shared-workspace invitation into a full API-key harvest against whatever LLM providers (OpenAI, Anthropic, etc.) the admin configured.
Why it matters
- LibreChat is one of the most popular self-hosted ChatGPT alternatives, used by teams running internal AI tooling — exactly the deployments that manage their own MCP integrations and provider keys.
- The vulnerability demonstrates a broader pattern: MCP credential management in multi-tenant chat platforms is immature, and "viewer" permission boundaries are being treated as read-only UI gates rather than data-access controls.
- Leaked provider keys give an attacker unrestricted access to whatever models, embeddings, and tool-calls the admin configured — effectively a lateral-movement primitive across the AI stack.
What to do
- Upgrade LibreChat to 0.8.4+ immediately.
- If you can't patch today, audit who has
VIEWaccess to shared MCP servers and revoke unnecessary invites. - Rotate any provider API keys that were stored in MCP server configs on pre-0.8.4 LibreChat instances — treat them as potentially compromised.
- Verify that your LibreChat instance does not return decrypted secrets in any API response to non-owner users (the recommended fix pattern: return boolean presence indicators only).