Skip to main content

Fastgpt CVE-2026-40352

| EUVDEUVD-2026-23559 HIGH
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-04-17 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 19:39 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 22:22 vuln.today
cvss_changed
Patch available
Apr 17, 2026 - 22:16 EUVD
Analysis Generated
Apr 17, 2026 - 22:09 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 21:45 euvd
EUVD-2026-23559
Analysis Generated
Apr 17, 2026 - 21:45 vuln.today
CVE Published
Apr 17, 2026 - 21:09 nvd
HIGH 8.8

DescriptionGitHub Advisory

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5.

AnalysisAI

NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on the password change endpoint using MongoDB query operators. Low-privileged users can change their own password (or potentially others' passwords via ID manipulation) without knowing the current password, enabling full account takeover and persistent access. Fixed in version 4.14.9.5. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, though the attack technique is well-documented for NoSQL injection vectors.

Technical ContextAI

FastGPT is an AI Agent building platform (cpe:2.3:a:labring:fastgpt) that uses MongoDB as its backend database. The vulnerability stems from improper neutralization of special elements in an OS command (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The password change endpoint fails to sanitize user input when validating the old password field, allowing attackers to inject MongoDB query operators like $ne (not equal) or $gt (greater than) directly into the database query. Instead of comparing the submitted password string against the stored hash, the injected operator modifies the query logic itself, causing the verification check to always return true. This is a classic NoSQL injection pattern where object-based query languages (unlike parameterized SQL) can be manipulated by passing JSON objects containing operator keys rather than string values.

RemediationAI

Upgrade immediately to FastGPT version 4.14.9.5 or later, available at https://github.com/labring/FastGPT/releases/tag/v4.14.9.5. The fix commit (https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d) implements proper input sanitization for the password change endpoint. If immediate patching is not feasible, implement compensating controls: (1) Deploy a Web Application Firewall (WAF) with rules to block MongoDB operator characters ($ne, $gt, $regex, etc.) in password change requests, though this may cause false positives if legitimate passwords contain dollar signs; (2) Enable multi-factor authentication (MFA) for all accounts to raise the barrier for initial account compromise, reducing the pool of attackers who could exploit this after gaining low-privilege access; (3) Implement aggressive session timeout policies (under 15 minutes) and monitor for multiple password change attempts from the same session, though determined attackers can still exploit within this window. Review authentication logs for anomalous password change events prior to patching, particularly changes that succeeded without corresponding failed login attempts (possible indicator of exploitation). Note that workarounds only reduce risk-upgrade to 4.14.9.5 is the only complete remediation.

CVE-2025-52552 MEDIUM POC
6.1 Jun 21

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t

CVE-2026-34162 CRITICAL
10.0 Mar 31

Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi

CVE-2026-42302 CRITICAL
9.8 May 08

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of

CVE-2026-40351 CRITICAL
9.8 Apr 17

NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con

CVE-2026-50562 CRITICAL
9.3 Jul 15

GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request

CVE-2026-61684 HIGH
8.8 Jul 15

Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi

CVE-2026-55418 HIGH
8.6 Jul 07

Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by

CVE-2026-54607 HIGH
7.7 Jul 07

Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI

CVE-2026-44285 HIGH
7.7 May 29

Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'

CVE-2026-42345 HIGH
7.7 May 08

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa

CVE-2026-61644 HIGH
7.7 Jul 15

Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tena

CVE-2026-54602 HIGH
7.1 Jul 07

Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM inter

Share

CVE-2026-40352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy