Axle-Bucamp MCP-Docusaurus Path Traversal (CVE-2026-7788) Public Exploit

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitypath-traversalcwe-22
Axle-Bucamp MCP-Docusaurus Path Traversal (CVE-2026-7788) Public Exploit

The National Vulnerability Database has disclosed CVE-2026-7788, a high-severity path traversal vulnerability impacting Axle-Bucamp MCP-Docusaurus up to commit 404bc028e15ec304c9a045528560f4b5f27a17e0. This flaw resides in the update_document/continue_document/delete_document/get_content functions within app/routes/document.py, where manipulating the DOCS_DIR/path argument allows for remote path traversal. The CVSS score is 7.3 (HIGH).

What’s critical here is that a public exploit for CVE-2026-7788 is already available. This drastically lowers the bar for attackers, making exploitation trivial for anyone with basic scripting knowledge. Axle-Bucamp MCP-Docusaurus utilizes a rolling release model, meaning specific versioning for affected or patched releases isn’t readily available, which complicates defensive efforts. The project was reportedly informed but has not yet responded.

Attackers can leverage this path traversal to potentially read, write, or delete arbitrary files on the server, depending on the application’s permissions. This could lead to sensitive data exposure, code execution by overwriting configuration files, or even full system compromise. The remote attack vector makes this a prime target for opportunistic scanning and exploitation.

What This Means For You

  • If your organization uses Axle-Bucamp MCP-Docusaurus, you are immediately exposed. Given the public exploit and remote attack vector, assume active exploitation is imminent. Identify all instances of this product within your environment and implement network segmentation to limit exposure. Patching is critical, but without specific version guidance, you need to monitor the project's repository for any security-related updates or workarounds. Review your WAF logs for attempts to manipulate file paths.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Initial Access T1595.002 Scanning for Vulnerabilities Reconnaissance

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-7788 - Axle-Bucamp MCP-Docusaurus Path Traversal

Sigma YAML — free preview 
title: CVE-2026-7788 - Axle-Bucamp MCP-Docusaurus Path Traversal
id: scw-2026-05-05-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-7788 by looking for requests to the vulnerable 'app/routes/document.py' file with path traversal sequences in the query parameters, specifically targeting the 'DOCS_DIR' or 'path' arguments. This is a primary indicator of an attempted remote exploit.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7788/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/app/routes/document.py'
      cs-uri-query|contains:
          - 'DOCS_DIR/../'
          - 'path/../../'
      cs-method:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7788 Path Traversal Axle-Bucamp MCP-Docusaurus up to commit 404bc028e15ec304c9a045528560f4b5f27a17e0
CVE-2026-7788 Path Traversal Vulnerable file: app/routes/document.py
CVE-2026-7788 Path Traversal Vulnerable functions: update_document, continue_document, delete_document, get_content
CVE-2026-7788 Path Traversal Vulnerable argument: DOCS_DIR/path

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44029 — Path Traversal

CVE-2026-44029 — An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory...

vulnerabilityCVEmedium-severitypath-traversalcwe-36
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-44028: Nix/Lix Unbounded Recursion Leads to RCE as Root

CVE-2026-44028 — An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to...

vulnerabilityCVEhigh-severitycode-executioncwe-674
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-7785: Wireshark-MCP OS Command Injection Hits High Severity

CVE-2026-7785 — A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in...

vulnerabilityCVEhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma