What happened
LibreChat prior to 0.8.5 implements MCP OAuth but does not validate that the resource parameter in OAuth Protected Resource metadata matches the configured MCP server URL. A malicious MCP server can exploit this to receive OAuth tokens intended for a legitimate server, enabling token theft and impersonation attacks against any OAuth-protected service the user has authorized.
Why it matters
As AI platforms integrate MCP for tool use, OAuth token security becomes critical. A stolen MCP OAuth token can grant an attacker access to all tools and services the user has authorized — including code repositories, databases, cloud APIs, and enterprise services — turning a misconfigured MCP connection into a full credential theft vector.
Attack vector
A malicious MCP server presents OAuth Protected Resource metadata (RFC 9728) with a resource parameter that does not match the configured MCP server URL. LibreChat's MCP OAuth implementation fails to validate this mismatch, allowing the malicious server to steal OAuth access tokens intended for a legitimate MCP server and use them to impersonate the victim to other services.
Affected systems
LibreChat < 0.8.5
Mitigation
Upgrade to LibreChat 0.8.5. Advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gvpj-vm2f-2m23