Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5.
AnalysisAI
NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on the password change endpoint using MongoDB query operators. Low-privileged users can change their own password (or potentially others' passwords via ID manipulation) without knowing the current password, enabling full account takeover and persistent access. Fixed in version 4.14.9.5. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, though the attack technique is well-documented for NoSQL injection vectors.
Technical ContextAI
FastGPT is an AI Agent building platform (cpe:2.3:a:labring:fastgpt) that uses MongoDB as its backend database. The vulnerability stems from improper neutralization of special elements in an OS command (CWE-943: Improper Neutralization of Special Elements in Data Query Logic). The password change endpoint fails to sanitize user input when validating the old password field, allowing attackers to inject MongoDB query operators like $ne (not equal) or $gt (greater than) directly into the database query. Instead of comparing the submitted password string against the stored hash, the injected operator modifies the query logic itself, causing the verification check to always return true. This is a classic NoSQL injection pattern where object-based query languages (unlike parameterized SQL) can be manipulated by passing JSON objects containing operator keys rather than string values.
RemediationAI
Upgrade immediately to FastGPT version 4.14.9.5 or later, available at https://github.com/labring/FastGPT/releases/tag/v4.14.9.5. The fix commit (https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d) implements proper input sanitization for the password change endpoint. If immediate patching is not feasible, implement compensating controls: (1) Deploy a Web Application Firewall (WAF) with rules to block MongoDB operator characters ($ne, $gt, $regex, etc.) in password change requests, though this may cause false positives if legitimate passwords contain dollar signs; (2) Enable multi-factor authentication (MFA) for all accounts to raise the barrier for initial account compromise, reducing the pool of attackers who could exploit this after gaining low-privilege access; (3) Implement aggressive session timeout policies (under 15 minutes) and monitor for multiple password change attempts from the same session, though determined attackers can still exploit within this window. Review authentication logs for anomalous password change events prior to patching, particularly changes that succeeded without corresponding failed login attempts (possible indicator of exploitation). Note that workarounds only reduce risk-upgrade to 4.14.9.5 is the only complete remediation.
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t
Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of
NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con
GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request
Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi
Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by
Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI
Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa
Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tena
Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM inter
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23559