Description
LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2.
Published: 2026-01-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch Immediately
AI Analysis

Impact

LibreChat's MCP stdio transport, prior to version 0.8.2-rc2, treats incoming requests as direct shell commands without validation. An authenticated user can send a specially crafted API request that results in arbitrary command execution with root privileges inside the container. This flaw is a Command Injection type vulnerability (CWE-285) that can compromise confidentiality, integrity, and availability of the host system.

Affected Systems

The affected product is LibreChat by danny-avila, specifically versions up to and including 0.8.2-rc1. The vulnerability exists in the containerized deployment of LibreChat and is resolved in 0.8.2-rc2. All users running the unpatched release that expose the MCP stdio transport are vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity, while the EPSS score of less than 1% signals a very low likelihood of exploitation observed so far, and the vulnerability is not currently listed in CISA's known exploited vulnerabilities catalog. Nevertheless, because the vulnerability allows root‑level execution from an authenticated session, it is likely to be abused once discovered. An attacker can achieve full control over the container host by sending a single API request as any legitimate user.

Generated by OpenCVE AI on April 18, 2026 at 07:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreChat to version 0.8.2-rc2 or later, which sanitizes commands sent to the MCP stdio transport.
  • If an upgrade is infeasible, revoke or restrict authenticated access to the MCP stdio API until the patch is applied, or disable the transport altogether.
  • After applying the patch, run the LibreChat container under least‑privilege user accounts, and enforce input validation on any remaining command execution points to reduce the risk of future injection flaws.

Generated by OpenCVE AI on April 18, 2026 at 07:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:librechat:librechat:0.8.2:rc1:*:*:*:*:*:*

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Librechat
Librechat librechat
Vendors & Products Librechat
Librechat librechat

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2.
Title LibreChat MCP Stdio Remote Command Execution
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Librechat Librechat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T18:48:33.821Z

Reserved: 2026-01-07T05:19:12.921Z

Link: CVE-2026-22252

cve-icon Vulnrichment

Updated: 2026-01-12T18:48:18.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T19:16:03.200

Modified: 2026-01-15T22:46:28.130

Link: CVE-2026-22252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses