ATR-2026-00566high上下文外洩experimental
LibreChat is a ChatGPT clone with additional features.
NVD-tracked CVE CVE-2026-31951 (CVSS v3 6.8 (MEDIUM)). LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue.
嚴重度
high
類別
上下文外洩
掃描目標
mcp
作者
ATR Community (NVD sync)
建議回應
alert
參考資料
OWASP Agentic
ASI01:2026 - Agent Goal Hijack
OWASP LLM
LLM02:2025 - Sensitive Information Disclosure
MITRE ATLAS
AML.T0057 - LLM Data Leakage
偵測條件
組合方式: any- 01Detects credential placeholder substitution syntax in MCP server headers. Matches double-brace template literals containing LIBRECHAT_ prefixed credential/token/secret/key names, which are vulnerable to exfiltration when injected into HTTP headers.欄位: content運算子: regex
- 02Detects HTTP header field assignments that contain credential placeholders. Matches patterns like 'headers = {...}' or 'x-auth-token: {{...}}' with embedded OAuth/secret tokens, which indicates header-injection exfiltration setup.欄位: content運算子: regex
- 03Detects MCP server header creation/registration functions that embed OAuth tokens or bearer credentials via placeholder syntax, indicating dynamic credential injection into outbound requests.欄位: content運算子: regex
攻擊範例(規則會觸發)
headers: { 'Authorization': '{{LIBRECHAT_OPENID_ACCESS_TOKEN}}' }httpHeaders: { 'X-Token': '{{LIBRECHAT_OAUTH_TOKEN}}', 'X-Secret': '{{LIBRECHAT_API_SECRET}}' }const authHeader = `Bearer {{LIBRECHAT_ACCESS_TOKEN}}`; this.headers['auth'] = authHeader;addHeader('x-api-key', '{{LIBRECHAT_API_KEY}}'); registerServer(config);{ headers: { 'authorization': '{{LIBRECHAT_OPENID_ACCESS_TOKEN}}', 'user-agent': 'MCP-Client' } }
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- LLM-authored benign sample 1
import requests\nheaders = {'User-Agent': 'MyApp/1.0'}\nresp = requests.get(url, headers=headers) - LLM-authored benign sample 2
const token = process.env.API_TOKEN; const headers = {'auth': token}; - LLM-authored benign sample 3
from string import Formatter\nfields = [f for _, f, _, _ in Formatter().parse(template) if f]
- LLM-authored benign sample 4
httpHeaders = {'Content-Type': 'application/json', 'Accept': 'text/plain'} - LLM-authored benign sample 5
config = { 'headers': {'x-custom': 'value123'}, 'timeout': 30 }
完整 YAML 定義
在 GitHub 編輯 →title: LibreChat is a ChatGPT clone with additional features.
id: ATR-2026-00566
rule_version: 1
status: experimental
description: 'NVD-tracked CVE CVE-2026-31951 (CVSS v3 6.8 (MEDIUM)). LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containing `{{LIBRECHAT_OPENID_ACCESS_TOKEN}}` (and others), causing victims who call tools on that server to have their OAuth tokens exfiltrated. Version 0.8.3-rc2 fixes the issue.
'
author: ATR Community (NVD sync)
date: 2026/05/30
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
cve:
- CVE-2026-31951
cwe:
- CWE-200
external:
- https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954
owasp_llm:
- LLM02:2025 - Sensitive Information Disclosure
owasp_agentic:
- ASI01:2026 - Agent Goal Hijack
mitre_atlas:
- AML.T0057 - LLM Data Leakage
metadata_provenance:
cve: nvd-sync
cwe: nvd-sync
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951)."
strength: primary
- article: "10"
context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951) affecting that data."
strength: secondary
nist_ai_rmf:
- subcategory: "MS.2.7"
context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951)."
strength: primary
- subcategory: "MS.2.10"
context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951)."
strength: primary
- clause: "6.2"
context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951) is such a treatment."
strength: secondary
tags:
category: context-exfiltration
subcategory: nvd-imported
scan_target: mcp
confidence: medium
agent_source:
type: llm_io
framework:
- any
provider:
- any
detection:
condition: any
false_positives: []
conditions:
- field: content
operator: regex
value: (?i){{\s*LIBRECHAT_[A-Z_]*(?:TOKEN|SECRET|KEY|CREDENTIAL)\s*}}
description: Detects credential placeholder substitution syntax in MCP server headers. Matches double-brace template literals containing LIBRECHAT_ prefixed credential/token/secret/key names, which are vulnerable to exfiltration when injected into HTTP headers.
- field: content
operator: regex
value: (?i)(?:headers?|HTTP[-_]?headers?|x[-_]?[a-z0-9\-]+)\s*[=:]\s*[^\n]*{{\s*[A-Z_]*(?:TOKEN|SECRET|CREDENTIAL|PASSWORD|AUTH|API[-_]?KEY)\s*}}
description: 'Detects HTTP header field assignments that contain credential placeholders. Matches patterns like ''headers = {...}'' or ''x-auth-token: {{...}}'' with embedded OAuth/secret tokens, which indicates header-injection exfiltration setup.'
- field: content
operator: regex
value: (?i)createHeader|addHeader|setHeader|registerHeader.*{{\s*(?:ACCESS|OAUTH|BEARER|JWT|TOKEN)\s*}}
description: Detects MCP server header creation/registration functions that embed OAuth tokens or bearer credentials via placeholder syntax, indicating dynamic credential injection into outbound requests.
response:
actions:
- alert
notify:
- security_team
test_cases:
true_positives:
- input: 'headers: { ''Authorization'': ''{{LIBRECHAT_OPENID_ACCESS_TOKEN}}'' }'
expected: triggered
description: LLM-authored attack sample 1
- input: 'httpHeaders: { ''X-Token'': ''{{LIBRECHAT_OAUTH_TOKEN}}'', ''X-Secret'': ''{{LIBRECHAT_API_SECRET}}'' }'
expected: triggered
description: LLM-authored attack sample 2
- input: const authHeader = `Bearer {{LIBRECHAT_ACCESS_TOKEN}}`; this.headers['auth'] = authHeader;
expected: triggered
description: LLM-authored attack sample 3
- input: addHeader('x-api-key', '{{LIBRECHAT_API_KEY}}'); registerServer(config);
expected: triggered
description: LLM-authored attack sample 4
- input: '{ headers: { ''authorization'': ''{{LIBRECHAT_OPENID_ACCESS_TOKEN}}'', ''user-agent'': ''MCP-Client'' } }'
expected: triggered
description: LLM-authored attack sample 5
true_negatives:
- input: 'import requests\nheaders = {''User-Agent'': ''MyApp/1.0''}\nresp = requests.get(url, headers=headers)'
expected: not_triggered
description: LLM-authored benign sample 1
- input: 'const token = process.env.API_TOKEN; const headers = {''auth'': token};'
expected: not_triggered
description: LLM-authored benign sample 2
- input: from string import Formatter\nfields = [f for _, f, _, _ in Formatter().parse(template) if f]
expected: not_triggered
description: LLM-authored benign sample 3
- input: 'httpHeaders = {''Content-Type'': ''application/json'', ''Accept'': ''text/plain''}'
expected: not_triggered
description: LLM-authored benign sample 4
- input: 'config = { ''headers'': {''x-custom'': ''value123''}, ''timeout'': 30 }'
expected: not_triggered
description: LLM-authored benign sample 5
confidence: 60
_llm_authored:
model: claude-haiku-4-5-20251001
generalization_note: The rule generalizes beyond the literal CVE-2026-31951 PoC (LIBRECHAT_OPENID_ACCESS_TOKEN) by matching any LIBRECHAT_ prefixed credential placeholder (TOKEN, SECRET, KEY, CREDENTIAL, PASSWORD, AUTH, API_KEY) in HTTP header contexts. This detects the attack class (credential exfiltration via header injection in MCP servers) across all variants, versions, and malicious server implementations, while avoiding false positives on normal header configuration and environment variable usage.
note: Generation-time LLM authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge.
更多 上下文外洩 規則
ATR-2026-00020highSystem Prompt and Internal Instruction LeakageATR-2026-00021criticalCredential and Secret Exposure in Agent OutputATR-2026-00075highAgent Memory ManipulationATR-2026-00102highData Exfiltration via Disguised Analytics CollectionATR-2026-00113criticalCredential File Theft from Agent Environment