CVE-2026-54036
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
In LibreChat prior to 0.8.4-rc1, an authenticated user (or attacker with a stolen session) can call the GET /api/auth/2fa/enable endpoint, which overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false without requiring any TOTP or backup code verification. This allows an attacker to completely take over a victim's two-factor authentication.
Risk Assessment
An attacker with a valid session token can lock the legitimate user out of their own two-factor authentication, leading to account takeover and potential data breach.
Recommendation
Immediately update LibreChat to version 0.8.4-rc1 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false — all without requiring any TOTP or backup code verification. An attacker with a valid session token can completely take over a victim's 2FA, locking the legitimate user out of their own two-factor authentication. This vulnerability is fixed in 0.8.4-rc1.

