A critical unauthenticated remote code execution (RCE) vulnerability has been disclosed in DocsGPT, the popular open-source AI documentation assistant, allowing attackers to execute arbitrary operating system commands by exploiting a logic flaw in its Model Context Protocol (MCP) STDIO transport configuration.
Tracked as CVE-2026-26015 and assigned GitHub Security Advisory GHSA-gcrq-f296-2j74, the flaw carries a maximum-severity CVSS v4 score with full impact across confidentiality, integrity, and availability, affecting both the official hosted cloud instance at app.docsgpt.cloud and any publicly or locally deployed DocsGPT installation.
The vulnerability was published on April 28, 2026, by security researcher Dartpain. It affects DocsGPT versions 0.15.0 and above up to (but not including) 0.16.0, and has been fully patched in the DocsGPT 0.16.0 release.
The root cause is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command – Command Injection) and the closely related CWE-78 (OS Command Injection).
Critical DocsGPT RCE Vulnerability
The flaw resides specifically inside application/agents/tools/mcp_tool.py, where the application imports StdioTransport from the FastMCP library and constructs an MCP transport session without adequately validating the transport_type parameter in incoming client requests.
When a DocsGPT user adds an MCP server from the web client, the interface only presents HTTP-based MCP server options. The server-side validation logic checks whether the supplied server_url is a valid MCP server endpoint, but critically, it does not restrict what transport_type value can be passed alongside it.
An attacker can craft a malicious JSON payload that supplies a legitimate server_url (such as https://mcp-test.glama.ai/mcp) to pass the validation check, while simultaneously injecting "transport_type": "stdio" alongside an arbitrary command and args field.
Once the server’s validation logic approves the URL, it proceeds to construct an StdioTransport object using the attacker-controlled command and args values directly hand the attacker shell-level command execution on the server host.
The vulnerable code path is as follows:
pythonreturn StdioTransport(command=command, args=args, env=env)No sanitization, allowlist enforcement, or transport-type restriction is applied before this call is made. As a result, the server blindly executes whatever binary or shell command the attacker specifies, ranging from creating files (touch /tmp/pwn) to launching a full reverse shell or performing data exfiltration.
The exploit requires no authentication, no user interaction, and has network-level attack vector accessibility, making its CVSS v4 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H a perfect critical-severity profile with cascading impact on subsequent systems.
The disclosed PoC demonstrates the attack using a single POST request to the /api/mcp_server/test endpoint. An attacker only needs knowledge of the target DocsGPT backend port or URL to trigger execution.
The payload injects transport_type: "stdio" alongside a benign-looking server_url and an arbitrary command such as touch, bash -c, or any shell binary available on the server. The attack is straightforward, requires no special tooling, and can be launched from any location with HTTP access to the backend service.
This vulnerability is not isolated. It is part of a systemic architectural flaw that OX Security researchers uncovered across the Model Context Protocol (MCP), Anthropic’s official standard for AI agent communication.
The research team identified 10 critical CVEs across AI frameworks, including LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot, all of which are exploitable via MCP STDIO command injection.
The combined blast radius of this vulnerability family is staggering: 150 million+ package downloads, 7,000+ publicly accessible MCP servers, and an estimated 200,000 vulnerable instances globally. OX Security categorized the exploitation families into four distinct vectors:
- Unauthenticated and authenticated command injection via MCP STDIO
- Unauthenticated command injection via direct STDIO configuration with hardening bypass
- Zero-click prompt injection via MCP configuration editing
- Command injection via MCP marketplaces, triggering hidden STDIO configurations
DocsGPT’s CVE-2026-26015 falls directly in the first category, where hidden backend STDIO logic is triggerable by crafted network requests even when the frontend UI does not expose STDIO options to users.
Successful exploitation of CVE-2026-26015 grants attackers full remote code execution on the DocsGPT server with the privileges of the running process.
This enables threat actors to: deploy reverse shells for persistent access, exfiltrate sensitive documents, API keys, and user chat histories, pivot laterally across internal networks when targeting local deployments, and completely compromise the integrity and availability of the DocsGPT service.
The vulnerability directly impacts the official DocsGPT cloud platform (app.docsgpt.cloud) which has already been patched, as well as any self-hosted instance still running version 0.15.x.
Remediation
Organizations must immediately upgrade DocsGPT to version 0.16.0, which addresses the transport-type substitution flaw. Until patching is complete, administrators should restrict network-level access to the DocsGPT backend API (particularly the /api/mcp_server/test endpoint).
Enforce network segmentation for locally deployed instances, and review server logs for anomalous POST requests containing "transport_type": "stdio" payloads.
FAQ
Q1: What is CVE-2026-26015?
CVE-2026-26015 is a critical unauthenticated remote code execution vulnerability in DocsGPT (versions ≥0.15.0, <0.16.0) caused by an MCP STDIO transport-type substitution flaw in mcp_tool.py that allows attackers to execute arbitrary OS commands without authentication.
Q2: Who is affected by this vulnerability?
Any user running DocsGPT version 0.15.x, including users of the official app.docsgpt.cloud cloud instance, and anyone hosting a public or local DocsGPT deployment is affected and exposed to full RCE exploitation.
Q3: How does the MCP STDIO attack bypass DocsGPT’s validation logic?
The server validates only the server_url parameter and not the transport_type field; an attacker passes a legitimate URL to satisfy the check while injecting "transport_type": "stdio" with a malicious command, causing the server to invoke StdioTransport with attacker-controlled shell commands.
Q4: Is a patch available, and how does this fit into the broader MCP security crisis?
Yes, DocsGPT 0.16.0 patches the flaw, and this CVE is part of a larger OX Security-disclosed MCP supply chain crisis affecting 10+ AI frameworks (LiteLLM, LangFlow, Flowise, etc.) with over 150 million affected downloads and up to 200,000 exposed instances globally.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
