LibreChat MCP STDIO Command Injection to Root RCE - CVE-2026-22252

What happened

CVE-2026-22252 is a critical command injection vulnerability in LibreChat, an open-source chat interface for large language models, affecting builds prior to v0.8.2-rc2. The flaw lives in LibreChat's MCP STDIO transport, which accepts an arbitrary command and arguments and passes them to the system shell without validation. Any authenticated user can craft an API request targeting the MCP STDIO endpoint and have that input interpreted directly as shell input. Because the application performs no sanitization or allowlisting of the supplied command, the request executes shell commands as root inside the container, resulting in full container compromise and a path to lateral movement. The issue was fixed in v0.8.2-rc2, which adds validation on the MCP STDIO transport.

This is not an isolated bug. It is one of several independently reported instances of the same underlying STDIO execution pattern - the same shape appeared in MCP Inspector, WeKnora, and other projects. The common thread is an MCP transport that treats a user- or model-controlled command as something to run rather than something to validate, a pattern we cover in the MCP Server Security guide and the sibling advisory on MCP STDIO execution by design.

Why this is an agentic-endpoint risk

MCP STDIO is the most common way an agent launches a local server: the client spawns a child process and speaks the protocol over standard input and output. That design assumes the command being spawned is trusted. CVE-2026-22252 breaks that assumption - an authenticated user, not an administrator, controls the command, and the host runs it as root. This is exactly the artifact layer traditional controls were never built to see: a legitimate application process spawning a child the way it is designed to, with the malicious intent encoded in configuration data rather than in network traffic or a known-bad binary.

It is also a textbook case of shadow AI on the endpoint. LibreChat is installed bottom-up to give a team a usable chat front end, the MCP STDIO transport is enabled to wire in tools, and no one in security inventories which version is running or which accounts can reach the MCP configuration. The capability that turns a chat app into a root shell lives in a config surface that changes without review and is never attested.

How Anomity surfaces and governs it

Anomity treats MCP servers and the applications that host them as part of the eight AI artifact types it inventories on every managed endpoint. For each LibreChat instance it surfaces the exact version in use, so finding everything prior to v0.8.2-rc2 becomes a single query rather than an incident-response sweep, and flags any MCP STDIO transport that can spawn commands without validation.

On agents that expose a hook - for example the PreToolUse event in Claude Code - Anomity applies runtime governance, returning allow, deny, or log on each MCP tool call before it runs. A STDIO command that a CVE-2026-22252 injection attempt would trigger is evaluated against policy first, so an unexpected shell invocation can be denied rather than executed. Every install, version change, and decision lands in a queryable 90-day audit trail, giving responders a precise exposure window. Anomity collects metadata only, with on-endpoint secret redaction, so command arguments that contain credentials never leave the host. None of this replaces patching - upgrade to v0.8.2-rc2 - but it closes the window before and after the fix is deployed.

You can't govern what you can't see.The Anomity principle

What to check across your fleet

• Inventory every endpoint and container image for LibreChat and record its version; upgrade anything prior to v0.8.2-rc2.
• If you cannot upgrade immediately, restrict who can configure MCP servers and run the application without root inside the container.
• Identify every account that can reach the MCP STDIO configuration endpoint and confirm least privilege - this flaw needs only an authenticated session.
• Confirm no MCP STDIO transport accepts unvalidated commands or arguments from user-controlled input.
• Review the audit trail for MCP STDIO command executions that fall outside normal tool workflows.
• Add a policy: MCP servers must run as a non-root user and must validate or allowlist the commands their transport will spawn.

This advisory is part of our MCP Server Security guide, which covers the full STDIO and unauthenticated-transport pattern, MCP trust tiers, and how to inventory and govern every server across your fleet. To see your own MCP posture - which instances are exposed, which transports spawn shells, and what runtime governance would deny - book a 30-minute demo.