CVE-2026-7159: douinc mkdocs-mcp-plugin Path Traversal Vulnerability

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitypath-traversalcwe-22
CVE-2026-7159: douinc mkdocs-mcp-plugin Path Traversal Vulnerability

The National Vulnerability Database has disclosed CVE-2026-7159, a high-severity path traversal vulnerability (CVSS 7.3) in douinc mkdocs-mcp-plugin up to version 0.4.1. This flaw affects the read_document/list_documents functions within the server.py file. Attackers can manipulate docs_dir/file_path arguments to traverse directories, potentially accessing sensitive files outside the intended document root.

This vulnerability is remotely exploitable, meaning an attacker doesn’t need local access to compromise affected systems. A public exploit is already available, significantly increasing the immediate risk. The vendor has acknowledged the issue and stated a fix will be released “within a few days.” This timeline is critical, as public exploits often lead to rapid weaponization.

Defenders must prioritize patching this vulnerability immediately upon release of the fix. Given the remote exploitability and public exploit code, any unpatched instance of mkdocs-mcp-plugin is a clear target. CISOs should ensure their development and documentation environments are inventoried for this plugin and ready for urgent updates.

What This Means For You

  • If your organization uses douinc mkdocs-mcp-plugin, you are exposed to a high-severity, remotely exploitable path traversal. An attacker can read arbitrary files from your server. Identify all instances of this plugin, especially those exposed to the internet, and prepare to patch them the moment a fix is available. Audit logs for unusual file access attempts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control T1595.002 Scanning for Vulnerabilities Reconnaissance

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-7159: mkdocs-mcp-plugin Path Traversal Attempt

Sigma YAML — free preview 
title: CVE-2026-7159: mkdocs-mcp-plugin Path Traversal Attempt
id: scw-2026-04-27-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-7159 by looking for path traversal sequences ('../') within the URI and specific parameters ('docs_dir', 'file_path') known to be vulnerable in the douinc mkdocs-mcp-plugin.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7159/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/../'
      cs-uri-query|contains:
          - 'docs_dir='
          - 'file_path='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7159 Path Traversal douinc mkdocs-mcp-plugin up to version 0.4.1
CVE-2026-7159 Path Traversal Vulnerable file: server.py
CVE-2026-7159 Path Traversal Vulnerable functions: read_document, list_documents
CVE-2026-7159 Path Traversal Vulnerable arguments: docs_dir, file_path

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7199: SQL Injection in Pharmacy Sales and Inventory System

CVE-2026-7199 — A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7196 — CodeAstro Online Classroom SQL Injection

CVE-2026-7196 — A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-41372 — OpenClaw before 2026.4.2 fails to normalize trailing-dot

CVE-2026-41372 — OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /5.8 /⚑ 2 IOCs /⚙ 1 Sigma