CVE-2026-26015

UNKNOWN 0.0

Unauthenticated RCE in DocsGPT MCP STDIO Configuration

CVSS Score

0.0

EPSS Score

0.3%

EPSS Percentile

52th

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

CWE	CWE-77
Vendor	arc53
Product	docsgpt
Published	Apr 29, 2026
Last Updated	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for arc53 docsgpt

Be the first to know when new unknown vulnerabilities affecting arc53 docsgpt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

arc53 / DocsGPT

>= 0.15.0, < 0.16.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74 github.com: https://github.com/arc53/DocsGPT/releases/tag/0.16.0 ox.security: https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/ ox.security: https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/