CVE-2026-26015
CriticalSummary
DocsGPT, a GPT-powered chat for documentation, has a vulnerability in versions from 0.15.0 to before 0.16.0 that allows an attacker to achieve remote code execution (RCE) via a malicious payload bypassing the 'MCP test'. This issue has been patched in version 0.16.0.
Risk Assessment
This vulnerability could lead to serious consequences, including unauthorized access to organizational systems and data. An attacker could exploit this vulnerability to execute arbitrary code remotely.
Recommendation
It is recommended to update DocsGPT to version 0.16.0 or later to mitigate this vulnerability. A security audit of existing deployments should also be conducted.
Original NVD description (English source)
DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

