CVE-2026-54040
LibreChat: 2FA Backup Code Regeneration Without OTP Verification Allows 2FA Bypass
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can silently replace a victim's backup codes and use them to bypass 2FA login or disable 2FA entirely. This vulnerability is fixed in 0.8.4-rc1.
| CWE | CWE-306 |
| Vendor | danny-avila |
| Product | librechat |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for danny-avila librechat
Be the first to know when new medium vulnerabilities affecting danny-avila librechat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None
Affected Versions
danny-avila / LibreChat
< 0.8.4-rc1