Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Details
CVSS v3
9.8
CVSS v4
10.0
NVD published
2026-04-29 18:16:03
EPSS
0.3% probability · 50.3th percentile — 2026-05-12
Affected versions
DocsGPT versions from 0.15.0 to before 0.16.0
Summary
DocsGPT is a popular GPT-powered chat application for documentation. This vulnerability allows remote attackers to craft malicious payloads that bypass MCP validation checks in vulnerable deployments. Successful exploitation leads to full arbitrary remote code execution on the hosting server.
Remediation
Upgrade DocsGPT to the official patched version 0.16.0 or later immediately. Revoke public access to any vulnerable DocsGPT deployment until the patch is applied.
Exploit info
This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.