Unauthenticated RCE in DocsGPT MCP stdio transport endpoint
TL;DR - Send POST /api/mcp_server/test with transport_type: "stdio" and a command field. DocsGPT builds a FastMCP StdioTransport and executes whatever you put in command. No authentication required. CVSS v4.0 10.0. Patched in 0.16.0.
What happened
DocsGPT is a self-hosted and cloud-hosted "chat with your docs" platform that supports MCP (Model Context Protocol) tool integrations.
The vulnerability lives in the MCP "test server" flow inside application/agents/tools/mcp_tool.py. The backend validates the provided server_url, but then continues processing additional client-controlled fields without restriction. Set transport_type to "stdio" and DocsGPT constructs a FastMCP StdioTransport(command=..., args=..., env=...) using values the attacker supplied. The backend executes them.
The web UI only exposes HTTP-based MCP configuration - stdio is never shown as an option. But the API accepts it anyway. That gap is the whole bug.
| Item | Detail |
|---|---|
| Vulnerable endpoint | POST /api/mcp_server/test |
| Attack primitive | Unauthenticated remote command execution via transport_type: "stdio" |
| Affected versions | >= 0.15.0, < 0.16.0 |
| Patched version | 0.16.0 |
| Severity | CVSS v4.0 10.0 (Critical) |
This is the exact failure mode that keeps surfacing in agent-tool stacks. The UI may only expose safe transports, but if your backend accepts a richer config object, attackers will send the config you forgot to lock down.
Who is impacted
- Anyone running DocsGPT
>= 0.15.0, < 0.16.0. - Highest risk: internet-reachable deployments where the backend API is accessible to unauthenticated users - including the vendor's hosted instance.
- Also at risk: internal deployments reachable over the local network. The advisory explicitly calls out the lateral movement scenario.
What to do now
- Upgrade to
0.16.0immediately. That is the patched release identified by the advisory. - Treat exposed instances as potentially compromised:
- Review access logs for requests to
POST /api/mcp_server/test. - Look for
transport_typevalues of"stdio"and inspect any associatedcommandorargspayloads. - Review host process telemetry for unexpected executions attributable to the DocsGPT service account.
- Review access logs for requests to
- Reduce exposure while you upgrade:
- Restrict network access to the DocsGPT backend API - private network, VPN, or edge allowlist.
- If you must keep it public, add compensating controls: put authentication in front of the API and apply WAF rules targeting
/api/mcp_server/test.
- Post-incident hygiene (if exploitation is suspected): rotate every credential the DocsGPT process could reach - LLM provider keys, database credentials, and any integration tokens present in the environment.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.