CVE-2026-5007

Name of the Vulnerable Software and Affected Versions kazuph mcp-docs-rag versions up to 0.5.0

Description A flaw exists in the cloneRepository function within the src/index.ts file of the add git repository/add text file component. This issue allows for operating system command injection, requiring local access for exploitation. The project maintainers were notified of the issue but have not yet responded. The exploit is publicly available.

Recommendations Versions prior to 0.5.1 should be updated. As a temporary workaround, consider restricting access to the cloneRepository function until a patch is available.