CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-26015

CVSS 10.0v4.0pub. 2026-04-29upd. 2026-05-06

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

🤖 AI Analysis
How it works

An attacker crafts a malicious payload that bypasses the control mechanism known as 'MCP test'. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), which means the application does not properly filter input data passed to system calls or commands. This results in the ability to inject and execute arbitrary commands in the context of the application process. The attack can be conducted remotely, without authentication and without user interaction.

Impact

An attacker can gain full control over the server — execute arbitrary code, read or modify data, and potentially move laterally within the target network. The maximum CVSS score of 10.0 reflects the full impact on confidentiality, integrity, and availability of both the attacked system and related resources.

Mitigation & patch

DocsGPT must be immediately updated to version 0.16.0 or later. The patch is available in the vendor's GitHub repository: https://github.com/arc53/DocsGPT/releases/tag/0.16.0. Until the update is deployed, it is recommended to restrict network access to the DocsGPT instance (e.g., firewall, VPN) and monitor logs for unexpected system command invocations.

Who is affected

DocsGPT versions 0.15.0 to below 0.16.0 (all deployments: vendor's official website, public and local installations).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Arc53 Docsgpt

    APP
    Arc53
    0.15.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References