LibreChat MCP STDIO Argument Injection (CVE-2026-22252) - ATR-2026-00417 (3b6a0a8a-dd36-5f4b-88e0-b5d8c26e498d)

Detects exploitation of CVE-2026-22252 in LibreChat. The MCP STDIO adapter passes user-supplied tool arguments to child_process.spawn without quoting, allowing argv-level injection: an attacker supplies tool args containing shell-metacharacters or argument-separator sequences (e.g. ; curl evil, --option=$(id), \\n--exec=...) which the spawned process interprets as additional flags or shell commands. Part of the OX Security MCP-by-design batch (2026-04-15). Distinct from CVE-2026-40933 (config-time bypass) — this one targets the runtime argv channel.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
AI Model Inference API Access (90a420d4-3f03-4800-86c0-223c4376804a)	MITRE ATLAS Attack Pattern	LibreChat MCP STDIO Argument Injection (CVE-2026-22252) - ATR-2026-00417 (3b6a0a8a-dd36-5f4b-88e0-b5d8c26e498d)	Agent Threat Rules	1
LibreChat MCP STDIO Argument Injection (CVE-2026-22252) - ATR-2026-00417 (3b6a0a8a-dd36-5f4b-88e0-b5d8c26e498d)	Agent Threat Rules	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	1
LibreChat MCP STDIO Argument Injection (CVE-2026-22252) - ATR-2026-00417 (3b6a0a8a-dd36-5f4b-88e0-b5d8c26e498d)	Agent Threat Rules	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	1
LibreChat MCP STDIO Argument Injection (CVE-2026-22252) - ATR-2026-00417 (3b6a0a8a-dd36-5f4b-88e0-b5d8c26e498d)	Agent Threat Rules	Indirect (a4a55526-2f1f-403b-9691-609e46381e17)	MITRE ATLAS Attack Pattern	1
LLM Prompt Injection (19cd2d12-66ff-487c-a05c-e058b027efc9)	MITRE ATLAS Attack Pattern	Indirect (a4a55526-2f1f-403b-9691-609e46381e17)	MITRE ATLAS Attack Pattern	2