CRITICAL🇵🇱 Wersja polska

CVE-2026-40351

CVSS 9.8v3.1pub. 2026-04-17upd. 2026-04-27

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.

🤖 AI Analysis
How it works

The login endpoint uses TypeScript type assertions without input data validation at runtime. An attacker can submit a MongoDB query operator object (e.g., {"$ne": ""}) in the password field instead of a string. The lack of actual data type verification causes the NoSQL query to the MongoDB database to be interpreted as always true, resulting in password verification bypass (Auth Bypass).

Impact

An unauthenticated remote attacker can log in as any user on the platform, including the root administrator account, gaining full control over the FastGPT platform and access to all data and configurations.

Mitigation & patch

FastGPT should be updated to version 4.14.9.5, where the issue has been fixed. The patch is available in the vendor's repository: https://github.com/labring/FastGPT/releases/tag/v4.14.9.5

Who is affected

FastGPT (labring/FastGPT) in versions earlier than 4.14.9.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fastgpt

    APP
    Fastgpt
    < 4.14.9.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-34162CRITICAL10.0PL ✓ten sam produkt

FastGPT: nieuwierzytelniony endpoint proxy HTTP umożliwia SSRF

CVE-2026-33075CRITICAL9.4PL ✓ten sam produkt

FastGPT: RCE i eksfiltracja sekretów przez złośliwy Dockerfile w workflow CI/CD

CVE-2026-40352HIGH8.8ten sam produkt

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulne...

CVE-2026-34163HIGH7.7ten sam produkt

FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) to...

CVE-2026-40100MEDIUM5.3ten sam produkt

FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint acce...