CVE-2026-22252
📋 TL;DR
This critical vulnerability in LibreChat allows authenticated users to execute arbitrary shell commands as root within the container via a single API request. The flaw exists in the MCP stdio transport which accepts commands without proper validation. All LibreChat instances running versions prior to v0.8.2-rc2 are affected.
💻 Affected Systems
- LibreChat
📦 What is this software?
Librechat by Librechat
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise - attacker gains root access to the container, can exfiltrate data, install persistent backdoors, pivot to other systems, or destroy the environment.
Likely Case
Attacker executes commands to steal sensitive data, install cryptocurrency miners, or use the system as a foothold for further attacks.
If Mitigated
With proper network segmentation and minimal container privileges, impact could be limited to the container environment only.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The advisory provides technical details that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.8.2-rc2 and later
Vendor Advisory: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f
Restart Required: Yes
Instructions:
1. Stop the LibreChat container/service. 2. Update to v0.8.2-rc2 or later using git pull or download new release. 3. Rebuild and restart the container/service. 4. Verify the fix by checking version and testing functionality.
🔧 Temporary Workarounds
Disable MCP stdio transport
linuxTemporarily disable the vulnerable MCP stdio transport feature if not required
Modify LibreChat configuration to disable MCP stdio transport or remove related environment variables
Restrict container privileges
linuxRun container with minimal privileges to limit impact
docker run --read-only --cap-drop=ALL --security-opt=no-new-privileges librechat
🧯 If You Can't Patch
- Implement strict network segmentation to isolate LibreChat instances from critical systems
- Enforce strong authentication controls and monitor for suspicious API requests to the MCP endpoint
🔍 How to Verify
Check if Vulnerable:
Check LibreChat version - if earlier than v0.8.2-rc2, you are vulnerable. Review logs for unusual API requests to MCP endpoints.Check Version:
Check the version in LibreChat web interface or container image tagVerify Fix Applied:
Confirm version is v0.8.2-rc2 or later. Test that arbitrary commands cannot be executed through the MCP stdio transport.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to MCP endpoints
- Shell command execution patterns in container logs
- Authentication logs showing access to MCP features
Network Indicators:
- Unusual outbound connections from LibreChat container
- Command and control traffic patterns
SIEM Query:
source="librechat" AND (uri_path="/api/mcp" OR message="command execution" OR message="shell")