CVE-2026-22252 PUBLISHED

LibreChat MCP Stdio Remote Command Execution

Assigner: GitHub_M
Reserved: 07.01.2026 Published: 12.01.2026 Updated: 12.01.2026

LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	danny-avila
Product	LibreChat
Versions	Version < v0.8.2-rc2 is affected

References

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f
https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f

Problem Types

CWE-285: Improper Authorization CWE