CVE-2026-22252
Published: 12 January 2026
Summary
CVE-2026-22252 is a critical-severity Improper Authorization (CWE-285) vulnerability in Librechat Librechat. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations, directly addressing the improper authorization that allows high-privilege users to execute arbitrary shell commands via the MCP stdio transport.
Requires validation of API inputs to prevent acceptance of arbitrary commands without checks in the stdio transport.
Limits privileges so that even high-privilege authenticated users cannot execute arbitrary root shell commands inside the container.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unauthenticated command injection in exposed web app (T1190) enabling Unix shell command execution (T1059.004).
NVD Description
LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability…
more
is fixed in v0.8.2-rc2.
Deeper analysisAI
CVE-2026-22252 is a critical vulnerability in LibreChat, an open-source ChatGPT clone with additional features, affecting versions prior to v0.8.2-rc2. The issue resides in LibreChat's MCP stdio transport, which accepts arbitrary commands without validation. This flaw, published on 2026-01-12, carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is categorized under CWE-285 (Improper Authorization), enabling remote code execution.
Any authenticated user with high privileges can exploit this vulnerability over the network with low complexity through a single API request. Successful exploitation allows the attacker to execute arbitrary shell commands as root inside the LibreChat container, potentially granting full control over the containerized environment, including high confidentiality, integrity, and availability impacts due to the scope change.
The vulnerability is fixed in LibreChat v0.8.2-rc2. Official mitigation guidance is available in the GitHub security advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f and the patching commit at https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f, which security practitioners should review for deployment instructions.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp