Skip to main content

Axle-Bucamp MCP-Docusaurus EUVDEUVD-2026-27161

| CVE-2026-7788 MEDIUM
Path Traversal (CWE-22)
2026-05-05 VulDB GHSA-jccf-76rp-79gq
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 05, 2026 - 00:30 vuln.today
Severity Changed
May 05, 2026 - 00:22 NVD
HIGH MEDIUM
CVSS changed
May 05, 2026 - 00:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)

DescriptionCVE.org

A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py. Performing a manipulation of the argument DOCS_DIR/path results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in Axle-Bucamp MCP-Docusaurus document handling functions allows remote unauthenticated attackers to manipulate the DOCS_DIR path parameter in update_document, continue_document, delete_document, and get_content endpoints, enabling unauthorized file access and manipulation. The vulnerability affects all versions up to commit 404bc028e15ec304c9a045528560f4b5f27a17e0, with publicly available exploit code disclosed via GitHub issues.

Technical ContextAI

The vulnerability resides in app/routes/document.py where document management functions fail to properly sanitize the DOCS_DIR/path parameter before using it in file system operations. This is a classic CWE-22 path traversal flaw where user-supplied input is concatenated directly into file paths without validation, allowing attackers to use sequences like '../' to escape the intended directory boundaries. The affected endpoints (update_document, continue_document, delete_document, get_content) all process this unsanitized input, creating multiple exploitation vectors. The application appears to be a Model Context Protocol (MCP) implementation for Docusaurus, a documentation platform, making the document manipulation endpoints critical security boundaries.

RemediationAI

Upgrade to a patched version of MCP-Docusaurus after commit 404bc028e15ec304c9a045528560f4b5f27a17e0 once the project releases a fix. Since the vendor has not yet responded to early notification (as of CVE publication), monitor the GitHub repository for security updates. As a compensating control pending a patch, implement strict input validation in the DOCS_DIR/path parameter by using os.path.normpath() and os.path.abspath() to resolve the full path, then verify it starts with the intended DOCS_DIR base directory; reject any path that attempts to traverse outside this boundary (e.g., containing '..', or resolving to a different base). Additionally, run the application with minimal file system permissions-restrict the process user to read/write only the necessary documents directory and deny access to sensitive system paths. Consider deploying a Web Application Firewall rule to block requests containing path traversal sequences ('../', '..\', URL-encoded variants like '%2e%2e%2f'). These controls mitigate exploitation but do not eliminate the flaw; patch as soon as available.

Share

EUVD-2026-27161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy