CVE Catalog

CVE-2026-54040

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

A vulnerability in LibreChat prior to 0.8.4-rc1 allows an attacker with a stolen session token to regenerate all 2FA backup codes without requiring any TOTP token or existing backup code. This enables bypassing 2FA login or disabling 2FA entirely.

Risk Assessment

The risk is that an attacker with a session token can silently replace a victim's backup codes and use them to gain unauthorized access to the system, bypassing two-factor authentication.

Recommendation

Immediately upgrade LibreChat to version 0.8.4-rc1 or later, which includes a fix requiring TOTP or existing backup code verification before regenerating backup codes.

Original NVD description (English source)

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can silently replace a victim's backup codes and use them to bypass 2FA login or disable 2FA entirely. This vulnerability is fixed in 0.8.4-rc1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS