Cyber Resilience

CVE-2026-26015

CriticalPublic PoCRCE

Published: 29 April 2026

Published
29 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0117 63.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26015 is a critical-severity Command Injection (CWE-77) vulnerability in Arc53 Docsgpt. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26015 is a critical remote code execution (RCE) vulnerability in DocsGPT, an open-source GPT-powered chat application for documentation. It affects versions from 0.15.0 up to but not including 0.16.0, impacting both the official DocsGPT website and any local or public deployments of the software. The flaw stems from CWE-77 (command injection), where an attacker can craft a malicious payload that bypasses the "MCP test" behavior, enabling arbitrary code execution on the server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity due to no authentication or user interaction requirements.

Any unauthenticated attacker with network access to a vulnerable DocsGPT instance can exploit this issue by sending a specially crafted payload through the chat interface or accessible endpoints. Successful exploitation grants full RCE, allowing the attacker to execute arbitrary commands on the host system, potentially leading to complete server compromise, data exfiltration, lateral movement, or persistence in the environment.

The DocsGPT project has addressed this vulnerability in version 0.16.0, as detailed in the official release notes and GitHub security advisory GHSA-gcrq-f296-2j74. Security practitioners should immediately upgrade to version 0.16.0 or later for all deployments, verify patch application, and review access logs for suspicious payloads around the publication date of 2026-04-29.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve…

more

arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gpt, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-26015 enables unauthenticated remote code execution via command injection in the public-facing DocsGPT web chat application, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-34267Shared CWE-77
CVE-2026-4399Shared CWE-77
CVE-2025-49836Shared CWE-77
CVE-2024-34166Shared CWE-77
CVE-2026-26093Shared CWE-77
CVE-2025-56425Shared CWE-77
CVE-2024-55062Shared CWE-77
CVE-2026-30617Shared CWE-77
CVE-2024-54660Shared CWE-77
CVE-2026-41265Shared CWE-77

Affected Assets

arc53
docsgpt
0.15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes user inputs to the chat interface, preventing command injection payloads from bypassing the MCP test and achieving RCE.

prevent

Ensures timely identification, testing, and installation of software patches, such as the fix in DocsGPT version 0.16.0, to remediate the command injection flaw.

prevent

Protects publicly accessible interfaces like the DocsGPT chat from unauthenticated attackers coercing the system into unsafe operations such as arbitrary RCE.

References