CVE-2026-26015: RCE in DocsGPT
Platform
nodejs
Component
docsgpt
Fixed in
0.16.0
CVE-2026-26015 describes a Remote Code Execution (RCE) vulnerability affecting DocsGPT, a GPT-powered chat for documentation. This flaw allows attackers to bypass security checks and execute arbitrary code on vulnerable systems. The vulnerability impacts versions 0.15.0 through 0.15.9, and a patch is available in version 0.16.0.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-26015 grants an attacker complete control over the affected DocsGPT instance. This includes the ability to read, modify, and execute files, potentially leading to data theft, system compromise, and further lateral movement within the network. Given DocsGPT's function as a documentation chat interface, an attacker could potentially gain access to sensitive internal documentation or source code. The blast radius extends to any system or user interacting with the vulnerable DocsGPT deployment.
Exploitation Context
CVE-2026-26015 was published on 2026-04-29. The vulnerability's severity is pending evaluation. Currently, there are no publicly available exploits or active campaigns targeting this vulnerability. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Threat Intelligence
Exploit Status
EPSS
0.28% (52% percentile)
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-26015 is to immediately upgrade DocsGPT to version 0.16.0 or later. If upgrading is not immediately feasible, consider isolating the vulnerable DocsGPT instance from external networks to prevent unauthorized access. While a direct workaround for bypassing the MCP test is not available, implementing strict input validation and sanitization on all user-provided data can help reduce the attack surface. After upgrading, verify the fix by attempting to trigger the documented bypass scenario and confirming that the MCP test now correctly prevents code execution.
How to fix
Actualice DocsGPT a la versión 0.16.0 o posterior para mitigar la vulnerabilidad de ejecución remota de código. Esta actualización corrige el problema al abordar la validación de entrada en la configuración de MCP STDIO, evitando la ejecución de código malicioso.
Frequently asked questions
What is CVE-2026-26015 — RCE in DocsGPT?
CVE-2026-26015 is a Remote Code Execution vulnerability in DocsGPT versions 0.15.0 through 0.15.9. Attackers can bypass security checks to execute arbitrary code, potentially compromising the system.
Am I affected by CVE-2026-26015 in DocsGPT?
You are affected if you are running DocsGPT version 0.15.0 through 0.15.9. Versions prior to 0.15.0 are not vulnerable, and version 0.16.0 and later are patched.
How do I fix CVE-2026-26015 in DocsGPT?
Upgrade DocsGPT to version 0.16.0 or later to resolve the vulnerability. If immediate upgrade is not possible, isolate the vulnerable instance and implement strict input validation.
Is CVE-2026-26015 being actively exploited?
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-26015, but it's crucial to apply the patch promptly.
Where can I find the official DocsGPT advisory for CVE-2026-26015?
Refer to the official DocsGPT project repository and release notes for the advisory and patch details. Check the project's website and relevant security mailing lists for updates.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...