Vulnerability Description
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fastgpt | Fastgpt | < 4.14.9.5 |
Related Weaknesses (CWE)
References
- https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100aPatch
- https://github.com/labring/FastGPT/releases/tag/v4.14.9.5ProductRelease Notes
- https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xgExploitMitigationVendor Advisory
FAQ
What is CVE-2026-40351?
CVE-2026-40351 is a vulnerability with a CVSS score of 9.8 (CRITICAL). FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attack...
How severe is CVE-2026-40351?
CVE-2026-40351 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-40351?
Check the references section above for vendor advisories and patch information. Affected products include: Fastgpt Fastgpt.