CVE-2026-26015: RCE in DocsGPT 0.15.0
Plattform
nodejs
Komponente
docsgpt
Behoben in
0.16.0
CVE-2026-26015 describes a critical Remote Code Execution (RCE) vulnerability affecting DocsGPT, a GPT-powered chat application for documentation. This flaw allows an attacker to bypass the "MCP test" and execute arbitrary code on systems running DocsGPT versions 0.15.0 through 0.15.9. The vulnerability has been patched in version 0.16.0.
Auswirkungen und Angriffsszenarien
The RCE vulnerability in DocsGPT allows an attacker to execute arbitrary code on the server hosting the application. This could lead to complete system compromise, data breaches, and the installation of malicious software. The vulnerability's impact is particularly severe because it can be exploited remotely, affecting both the official DocsGPT website and any locally deployed instances. Successful exploitation could allow an attacker to steal sensitive documentation, modify the application's behavior, or use the compromised server to launch attacks against other systems.
Ausnutzungskontext
CVE-2026-26015 is a critical RCE vulnerability with the potential for widespread impact. The vulnerability's public disclosure and the ease of exploitation increase the likelihood of attacks. No specific campaigns or KEV/EPSS scores are currently available. Published on 2026-04-29.
Bedrohungsanalyse
Exploit-Status
EPSS
0.28% (52% Perzentil)
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2026-26015 is to immediately upgrade DocsGPT to version 0.16.0 or later. This version includes a fix for the MCP test bypass vulnerability. If upgrading is not immediately possible, consider isolating the DocsGPT instance from sensitive resources and implementing strict access controls. Monitor system activity for suspicious behavior. After upgrading, verify the fix by attempting to bypass the MCP test with a known payload and confirming that the execution is blocked.
So behebenwird übersetzt…
Actualice DocsGPT a la versión 0.16.0 o posterior para mitigar la vulnerabilidad de ejecución remota de código. Esta actualización corrige el problema al abordar la validación de entrada en la configuración de MCP STDIO, evitando la ejecución de código malicioso.
Häufig gestellte Fragen
Was ist CVE-2026-26015 — Remote Code Execution (RCE) in DocsGPT?
It's a Remote Code Execution (RCE) vulnerability in DocsGPT allowing attackers to execute arbitrary code.
Bin ich von CVE-2026-26015 in DocsGPT betroffen?
If you're using DocsGPT versions 0.15.0 to <0.16.0, you are affected.
Wie behebe ich CVE-2026-26015 in DocsGPT?
Upgrade to DocsGPT version 0.16.0 or later to address the vulnerability.
Wird CVE-2026-26015 aktiv ausgenutzt?
The RCE nature suggests a high likelihood of exploitation, and immediate action is recommended.
Wo finde ich den offiziellen DocsGPT-Hinweis für CVE-2026-26015?
Refer to the DocsGPT project repository for details on the fix and the affected code.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...