What is the CVSS score of CVE-2026-22252?

CVE-2026-22252 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of AI / ML are affected by CVE-2026-22252?

Organizations using LibreChat face critical risk from CVE-2026-22252 rated CVSS 9.1.. A patch is available.

Is there a public PoC exploit available for CVE-2026-22252?

Yes, a public proof-of-concept exploit is available for CVE-2026-22252. Prioritise patching immediately. EPSS: 0.0%.

AI / ML CVE-2026-22252

CRITICAL

Improper Authorization (CWE-285)

2026-01-12 security-advisories@github.com

Authentication Bypass AI / ML Librechat

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 15, 2026 - 22:46 vuln.today

Public exploit code

Patch released

Jan 15, 2026 - 22:46 nvd

Patch available

CVE Published

Jan 12, 2026 - 19:16 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2.

AnalysisAI

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through the MCP stdio transport. A single API request is sufficient for root code execution. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as privileged user

Exploit

Send crafted API request to MCP stdio transport

Impact

Execute arbitrary shell commands as root in container

Access

Authenticate as privileged user

Exploit

Send crafted API request to MCP stdio transport

Impact

Execute arbitrary shell commands as root in container

Vulnerability AssessmentAI

Exploitation	LibreChat versions prior to v0.8.2-rc2 with MCP stdio transport enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.1 (Critical). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated LibreChat user sends an API request specifying an MCP stdio command of '/bin/sh -c "cat /etc/shadow"'. The server executes it as root, returning the system's password hashes.
Remediation	Update to v0.8.2-rc2 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-22252 vulnerability details – vuln.today

Back

AI / ML CVE-2026-22252

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code