CVE-2026-26015

CVE-2026-26015 is a critical remote code execution (RCE) vulnerability in DocsGPT, an open-source GPT-powered chat application for documentation. It affects versions from 0.15.0 up to but not including 0.16.0, impacting both the official DocsGPT website and any local or public deployments of the software. The flaw stems from CWE-77 (command injection), where an attacker can craft a malicious payload that bypasses the "MCP test" behavior, enabling arbitrary code execution on the server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity due to no authentication or user interaction requirements.

Any unauthenticated attacker with network access to a vulnerable DocsGPT instance can exploit this issue by sending a specially crafted payload through the chat interface or accessible endpoints. Successful exploitation grants full RCE, allowing the attacker to execute arbitrary commands on the host system, potentially leading to complete server compromise, data exfiltration, lateral movement, or persistence in the environment.

The DocsGPT project has addressed this vulnerability in version 0.16.0, as detailed in the official release notes and GitHub security advisory GHSA-gcrq-f296-2j74. Security practitioners should immediately upgrade to version 0.16.0 or later for all deployments, verify patch application, and review access logs for suspicious payloads around the publication date of 2026-04-29.