CVE-2026-22252
Published: 12 January 2026
Summary
CVE-2026-22252 is a critical-severity Improper Authorization (CWE-285) vulnerability in Librechat Librechat. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-22252 is a critical vulnerability in LibreChat, an open-source ChatGPT clone with additional features, affecting versions prior to v0.8.2-rc2. The issue resides in LibreChat's MCP stdio transport, which accepts arbitrary commands without validation. This flaw, published on 2026-01-12, carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is categorized under CWE-285 (Improper Authorization), enabling remote code execution.
Any authenticated user with high privileges can exploit this vulnerability over the network with low complexity through a single API request. Successful exploitation allows the attacker to execute arbitrary shell commands as root inside the LibreChat container, potentially granting full control over the containerized environment, including high confidentiality, integrity, and availability impacts due to the scope change.
The vulnerability is fixed in LibreChat v0.8.2-rc2. Official mitigation guidance is available in the GitHub security advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f and the patching commit at https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f, which security practitioners should review for deployment instructions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2008
Vulnerability details
LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability…
more
is fixed in v0.8.2-rc2.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: chatgpt, librechat, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unauthenticated command injection in exposed web app (T1190) enabling Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations, directly addressing the improper authorization that allows high-privilege users to execute arbitrary shell commands via the MCP stdio transport.
Requires validation of API inputs to prevent acceptance of arbitrary commands without checks in the stdio transport.
Limits privileges so that even high-privilege authenticated users cannot execute arbitrary root shell commands inside the container.