CVE-2026-44653

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.4

Description Users with only VIEW access to an MCP server can retrieve decrypted admin-managed secrets. This occurs through the endpoints "/api/mcp/servers" and "/api/mcp/servers/:serverName", where the returned configuration includes plaintext values for the variables apiKey.key and oauth.client secret. This allows unauthorized users to exfiltrate provider credentials.

Recommendations Update to version 0.8.4. Redact apiKey.key and oauth.client secret from all API responses. Avoid returning decrypted admin-managed secrets to non-owners, using boolean presence indicators or server-side placeholders instead.