{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22252", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.921Z", "datePublished": "2026-01-12T18:01:48.399Z", "dateUpdated": "2026-01-12T18:48:33.821Z"}, "containers": {"cna": {"title": "LibreChat MCP Stdio Remote Command Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f"}, {"name": "https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f", "tags": ["x_refsource_MISC"], "url": "https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f"}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"version": "< v0.8.2-rc2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T18:01:48.399Z"}, "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2."}], "source": {"advisory": "GHSA-cxhj-j78r-p88f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T18:48:12.133804Z", "id": "CVE-2026-22252", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:48:33.821Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22252", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-12T18:48:12.133804Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:48:18.252Z"}}], "cna": {"title": "LibreChat MCP Stdio Remote Command Execution", "source": {"advisory": "GHSA-cxhj-j78r-p88f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "danny-avila", "product": "LibreChat", "versions": [{"status": "affected", "version": "< v0.8.2-rc2"}]}], "references": [{"url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f", "name": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f", "name": "https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T18:01:48.399Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22252", "state": "PUBLISHED", "dateUpdated": "2026-01-12T18:48:33.821Z", "dateReserved": "2026-01-07T05:19:12.921Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T18:01:48.399Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:librechat:librechat:0.8.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "8E26DE8F-E11A-4052-B9FE-59AD6B9AFD03", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2."}], "id": "CVE-2026-22252", "lastModified": "2026-01-15T22:46:28.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-12T19:16:03.200", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:00:34.685746+00:00", "value": {"mitigation_remediation": ["Upgrade LibreChat to version 0.8.2-rc2 or later, which sanitizes commands sent to the MCP stdio transport.", "If an upgrade is infeasible, revoke or restrict authenticated access to the MCP stdio API until the patch is applied, or disable the transport altogether.", "After applying the patch, run the LibreChat container under least\u2011privilege user accounts, and enforce input validation on any remaining command execution points to reduce the risk of future injection flaws."], "summary": {"action": "Patch Immediately", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "The affected product is LibreChat by danny-avila, specifically versions up to and including 0.8.2-rc1. The vulnerability exists in the containerized deployment of LibreChat and is resolved in 0.8.2-rc2. All users running the unpatched release that expose the MCP stdio transport are vulnerable.", "description_and_impact": "LibreChat's MCP stdio transport, prior to version 0.8.2-rc2, treats incoming requests as direct shell commands without validation. An authenticated user can send a specially crafted API request that results in arbitrary command execution with root privileges inside the container. This flaw is a Command Injection type vulnerability (CWE-285) that can compromise confidentiality, integrity, and availability of the host system.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a critical severity, while the EPSS score of less than 1% signals a very low likelihood of exploitation observed so far, and the vulnerability is not currently listed in CISA's known exploited vulnerabilities catalog. Nevertheless, because the vulnerability allows root\u2011level execution from an authenticated session, it is likely to be abused once discovered. An attacker can achieve full control over the container host by sending a single API request as any legitimate user."}}}}, "created": "2026-01-13T09:27:14.352079+00:00", "updated": "2026-04-18T07:15:25.844294+00:00", "vendors": ["librechat", "librechat$PRODUCT$librechat"]}