LibreChat Decrypted Secret Exposure Vulnerability for VIEW-Only MCP Server Users

A vulnerability in LibreChat versions through 0.8.3 allows users with VIEW access to an MCP server to access decrypted admin-managed secrets. This is achieved through the 'GET /api/mcp/servers' and 'GET /api/mcp/servers/:serverName' endpoints, which return plaintext values for 'apiKey.key' and 'oauth.client_secret'. The issue arises because the MCP registry decrypts sensitive server configurations before sending them in the response, without redacting these secrets. As a result, viewers can exfiltrate provider credentials that should remain confidential.

Impact

This vulnerability enables any user with VIEW access on a shared MCP server to steal sensitive provider credentials, including third-party API keys and OAuth client secrets, which could be reused in other contexts, potentially leading to broader exposure.

Reproduction

To reproduce this vulnerability, create an MCP server as an admin and store sensitive secrets such as an API key and an OAuth client secret. Share the server with a user who has VIEW-only access. The viewer can then log in and use the 'GET /api/mcp/servers' endpoint to retrieve the decrypted secrets. This can be verified by calling the 'GET /api/mcp/servers/:serverName' endpoint, which will return the same plaintext secrets.

Remediation

Update to LibreChat version 0.8.4 or later. Additionally, ensure that the application does not return decrypted admin-managed secrets to non-owners, redacts sensitive information from API responses, and consider using placeholders for secrets that need to be edited.