AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

criticalvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseJanuary 12, 2026CVE-2026-22252

Summary

LibreChat, a ChatGPT clone with extra features, has a vulnerability in versions before v0.8.2-rc2 where its MCP stdio transport (a communication method for connecting components) accepts commands without checking if they're safe, letting any logged-in user run shell commands as root inside a container with just one API request. This is a serious authorization flaw because it bypasses permission checks.

Solution / Mitigation

Update to v0.8.2-rc2 or later. According to the source, 'This vulnerability is fixed in v0.8.2-rc2.'

Vulnerability Details

CVSS Score

9.1(critical)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

integrityconfidentiality

Taxonomy References

CWE (Weakness Type)

CWE-285

Affected Vendors

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

CVE-2024-35199: TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions

First tracked: February 15, 2026 at 08:50 PM

Classified by LLM (prompt v3) · confidence: 92%