Main Vulnerability Database Vulnerabilities #VU128105

Input validation error in LibreChat - CVE-2026-22252

Published: April 27, 2026

Vulnerability identifier: #VU128105

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22252

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LibreChat

Affected software:
LibreChat

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary shell commands as root inside the container.

The vulnerability exists due to improper input validation in the MCP stdio transport when handling crafted API requests for MCP server creation. A remote privileged user can send a specially crafted HTTP request with an arbitrary command to execute arbitrary shell commands as root inside the container.

The issue works on the default installation and is triggered during MCP server creation during inspection.

How to mitigate CVE-2026-22252

Install security update from vendor's website.

Sources

https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f

Input validation error in LibreChat - CVE-2026-22252

Detailed vulnerability description

How to mitigate CVE-2026-22252

Sources

Please verify you're human