CVE-2026-22252: One Login, One API Call, Full Root Shell – Critical LibreChat Command Execution Flaw

Aegiron 9 mins0

CVE ID: CVE-2026-22252
Product: LibreChat
Affected Component: MCP (Model Context Protocol) – stdio transport
Severity: Critical
CVSS v3.1 Score: 9.1 (Critical)
Attack Vector: Network
Privileges Required: Authenticated user (low barrier if self-registration is enabled)
User Interaction: None
Exploitability: High in real-world deployments
Exploit Availability: Public proof-of-concept available (educational and defensive testing only)

Executive overview

CVE-2026-22252 is a critical security flaw in LibreChat versions prior to 0.8.2-rc2 that allows an authenticated user to execute arbitrary operating system commands as root inside the LibreChat container.

The issue exists in the MCP (Model Context Protocol) integration, specifically when LibreChat is configured to use stdio-based MCP servers. Due to missing validation and unsafe defaults, LibreChat trusts user-supplied commands and executes them directly on the host runtime (container).

In simple terms:
If a user can log in, they can make LibreChat run system commands of their choice.

Why this vulnerability is dangerous

Although authentication is required, many LibreChat installations allow open user registration. This makes exploitation trivial in practice.

Once exploited, an attacker can:

  • Run shell commands as root inside the container
  • Read application secrets (API keys, database credentials, JWT secrets)
  • Modify application files
  • Drop backdoors or web-accessible files
  • Exfiltrate sensitive data
  • Potentially pivot to internal services reachable from the container

This is not a theoretical risk — the attack requires one API request and does not rely on race conditions or complex chains.

Technical root cause

LibreChat supports MCP servers to extend model capabilities. One supported transport type is stdio, which allows LibreChat to spawn a local process and communicate with it via standard input/output.

The core problem

  • LibreChat allows any authenticated user to create MCP servers by default.
  • When creating an MCP server of type stdio, the user can supply:
    • A command
    • An array of args
  • These values are not validated, restricted, or sanitized.
  • LibreChat spawns the supplied command directly using the system shell.
  • The process runs with the same privileges as LibreChat itself (root inside the container).

This creates a direct path from user input to OS command execution.

How the attack works

  1. Attacker registers a normal user account (or uses an existing one).
  2. Attacker authenticates to LibreChat.
  3. Attacker sends a crafted API request to the MCP server creation endpoint.
  4. The request defines an MCP server using:
    • Transport type: stdio
    • Command: /bin/sh
    • Arguments: -c <attacker command>
  5. LibreChat immediately spawns the process.
  6. The supplied shell command executes as root inside the container.

No additional interaction is required.

Proof of concept

A public proof-of-concept exists demonstrating:

  • Arbitrary command execution
  • Writing command output to a web-accessible directory
  • Retrieving execution results via HTTP

This PoC is intended only for security testing, validation, and educational purposes. Running it against systems you do not own or have permission to test is illegal.

Realistic exploitation scenarios

  • Dumping .env files to extract API keys and secrets
  • Writing output to /public directories and downloading it via browser
  • Installing additional tooling inside the container
  • Modifying frontend files to inject malicious JavaScript
  • Abusing container network access to reach internal databases or services

Even if the container itself is isolated, data exposure alone is severe.

Detection and monitoring guidance

Key log sources to monitor

  1. LibreChat application logs
    • MCP server creation events
    • Errors or warnings around MCP execution
  2. Web/API access logs
    • POST requests to MCP-related endpoints
    • Requests containing unusual JSON payloads
  3. Container runtime logs
    • Process creation events
    • Unexpected shell execution (/bin/sh, bash, dash)
  4. File access logs
    • New or modified files under web-accessible paths
    • Unexpected reads of .env, config, or credential files

Indicators of exploitation

Watch closely for:

  • API requests creating MCP servers with type: stdio
  • Payloads containing:
    • /bin/sh
    • -c
    • Shell operators (;, &&, |)
  • Newly created files in public directories
  • Shell processes spawned by the LibreChat process
  • HTTP requests retrieving unexpected files shortly after MCP creation

Any of these should be treated as a high-severity incident.

Example detection logic

API-level detection

  • Alert when a non-admin user creates an MCP server using stdio
  • Alert on MCP configurations containing shell binaries

Process-level detection

  • Alert if LibreChat spawns:
    • /bin/sh
    • bash
    • sh -c

File-level detection

  • Alert on writes to:
    • Public/static directories
    • Configuration files
    • Environment files

MITRE ATT&CK mapping

  • T1059 – Command and Scripting Interpreter
    • Direct execution of shell commands
  • T1190 – Exploit Public-Facing Application
    • Abuse of exposed API endpoint
  • T1078 – Valid Accounts
    • Exploitation using legitimate user credentials
  • T1552 – Unsecured Credentials
    • Reading secrets from environment/config files
  • T1105 – Ingress Tool Transfer
    • Dropping tools or files via command execution

Mitigation and hardening recommendations

Immediate actions

  • Upgrade LibreChat immediately (see official patch link below).
  • Review logs for historical MCP server creation activity.
  • Rotate secrets if compromise is suspected.

Short-term hardening

  • Disable MCP server creation for non-admin users.
  • Disable stdio MCP transport entirely if not required.
  • Run LibreChat containers as a non-root user.
  • Restrict container network egress.

Long-term best practices

  • Enforce strict input validation for any feature that spawns processes.
  • Apply the principle of least privilege to containers.
  • Monitor API behavior, not just authentication events.
  • Regularly audit default configuration settings.

Official patch / upgrade link

Upgrade to LibreChat v0.8.2-rc2 or later, which fixes this vulnerability by restricting unsafe MCP behavior.

Official release and patch:
https://github.com/danny-avila/LibreChat/releases

Final Takeway

CVE-2026-22252 is a textbook example of unsafe command execution via trusted user input. While authentication is technically required, insecure defaults make this vulnerability extremely dangerous in real deployments.

If LibreChat is exposed to the internet and not yet patched, it should be considered at high risk of compromise.

Patch immediately.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.