Cyber Resilience

CVE-2026-22252

CriticalPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
15 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0368 88.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22252 is a critical-severity Improper Authorization (CWE-285) vulnerability in Librechat Librechat. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-22252 is a critical vulnerability in LibreChat, an open-source ChatGPT clone with additional features, affecting versions prior to v0.8.2-rc2. The issue resides in LibreChat's MCP stdio transport, which accepts arbitrary commands without validation. This flaw, published on 2026-01-12, carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is categorized under CWE-285 (Improper Authorization), enabling remote code execution.

Any authenticated user with high privileges can exploit this vulnerability over the network with low complexity through a single API request. Successful exploitation allows the attacker to execute arbitrary shell commands as root inside the LibreChat container, potentially granting full control over the containerized environment, including high confidentiality, integrity, and availability impacts due to the scope change.

The vulnerability is fixed in LibreChat v0.8.2-rc2. Official mitigation guidance is available in the GitHub security advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f and the patching commit at https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f, which security practitioners should review for deployment instructions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability…

more

is fixed in v0.8.2-rc2.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: chatgpt, librechat, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct RCE via unauthenticated command injection in exposed web app (T1190) enabling Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-41258Same product: Librechat Librechat
CVE-2025-69222Same product: Librechat Librechat
CVE-2025-69220Same product: Librechat Librechat
CVE-2024-10361Same product: Librechat Librechat
CVE-2026-4276Same product: Librechat Librechat
CVE-2026-31945Same product: Librechat Librechat
CVE-2026-31943Same product: Librechat Librechat
CVE-2026-31944Same product: Librechat Librechat
CVE-2026-31942Same product: Librechat Librechat
CVE-2026-33265Same product: Librechat Librechat

Affected Assets

librechat
librechat
0.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations, directly addressing the improper authorization that allows high-privilege users to execute arbitrary shell commands via the MCP stdio transport.

prevent

Requires validation of API inputs to prevent acceptance of arbitrary commands without checks in the stdio transport.

prevent

Limits privileges so that even high-privilege authenticated users cannot execute arbitrary root shell commands inside the container.

References