CVE-2026-54036

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false — all without requiring any TOTP or backup code verification. An attacker with a valid session token can completely take over a victim's 2FA, locking the legitimate user out of their own two-factor authentication. This vulnerability is fixed in 0.8.4-rc1.
Configurations

Configuration 1 (hide)

cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*

History

26 Jun 2026, 19:02

Type Values Removed Values Added
CPE cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*
References () https://github.com/danny-avila/LibreChat/security/advisories/GHSA-45fp-6q26-wfgq - () https://github.com/danny-avila/LibreChat/security/advisories/GHSA-45fp-6q26-wfgq - Exploit, Vendor Advisory
First Time Librechat librechat
Librechat

25 Jun 2026, 17:16

Type Values Removed Values Added
References () https://github.com/danny-avila/LibreChat/security/advisories/GHSA-45fp-6q26-wfgq - () https://github.com/danny-avila/LibreChat/security/advisories/GHSA-45fp-6q26-wfgq -

25 Jun 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 16:16

Updated : 2026-06-26 19:02


NVD link : CVE-2026-54036

Mitre link : CVE-2026-54036

CVE.ORG link : CVE-2026-54036


JSON object : View

Products Affected

librechat

  • librechat
CWE
CWE-306

Missing Authentication for Critical Function