CVE-2026-7788
Published: 05 May 2026
Summary
CVE-2026-7788 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing document management functions directly enables remote file read (T1005), deletion (T1070.004), arbitrary write for tool ingress (T1105), and initial access via exploitation of the exposed app (T1190).
NVD Description
A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py. Performing a manipulation of the argument DOCS_DIR/path results in path traversal. The attack may be initiated remotely.…
more
The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7788 is a path traversal vulnerability (CWE-22) affecting Axle-Bucamp MCP-Docusaurus up to commit 404bc028e15ec304c9a045528560f4b5f27a17e0. The flaw resides in the update_document, continue_document, delete_document, and get_content functions within the file app/routes/document.py, where manipulation of the DOCS_DIR/path argument enables traversal outside intended directories. This issue was published on 2026-05-05 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), rated as high severity.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized read, write, or deletion of files outside the intended document directory.
Advisories note that the project uses a rolling release model, providing no specific affected or patched version details. The developers were informed early via GitHub issue #2 but have not responded. An exploit is publicly available, increasing risk. Relevant resources include the project repository at https://github.com/Axle-Bucamp/MCP-Docusaurus/, the issue tracker at https://github.com/Axle-Bucamp/MCP-Docusaurus/issues/2, and VulDB entries at https://vuldb.com/vuln/360994 and related pages.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp