CVE-2026-31942

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.3-rc1

Description An Insecure Direct Object Reference (IDOR) exists in the 'PUT /api/keys' endpoint. Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, an authenticated user can inject a userId parameter in the request body to overwrite the API keys of another user. This allows an attacker to replace a victim's API key configuration for providers such as OpenAI, Anthropic, or Azure, which could route conversations through attacker-controlled keys or cause a denial of service by providing invalid keys.

Recommendations Update to version 0.8.3-rc1.