VIR Vulnerability Intelligence Relay

CVE-2026-40351

critical
Published 2026-04-17 · Modified 2026-04-27
CVSS v3
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
9.8

Description

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/labring/FastGPT/releases/tag/v4.14.9.5

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d

Application impact
VendorProductVersionsFixed
fastgptfastgpt{"endExcluding":"4.14.9.5"}4.14.9.5

References

CWEs

CWE-943

Verify integrity in audit chain (admin only). AS-IS.