CVE-2026-40351.yaml
1 info: 2 name: fastgpt 3 cve: CVE-2026-40351 4 summary: FastGPT NoSQL Injection in loginByPassword leads to Authentication Bypass 5 details: >- 6 FastGPT is an open-source AI Agent building platform. In versions prior to 4.14.9.5, 7 the password-based login endpoint (/api/support/user/account/loginByPassword) uses 8 TypeScript type assertion (as PostLoginProps) without runtime validation, allowing an 9 unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) 10 as the password field. This NoSQL injection bypasses the password check, enabling 11 login as any user including the root administrator. A proof-of-concept is publicly 12 available in the GitHub security advisory. The vulnerability has a CVSS 3.1 score 13 of 9.8 (CRITICAL) with no privileges required and network-accessible attack vector. 14 Exploit maturity: Low — no public PoC repository or nuclei template found as of 15 April 2026, though the GHSA advisory includes a PoC curl command. 16 cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 17 severity: CRITICAL 18 security_advise: >- 19 Upgrade FastGPT to version 4.14.9.5 or later. The fix enforces strict runtime type 20 validation using Zod schema (LoginByPasswordBodySchema.parse) on the login endpoint, 21 ensuring the password field is strictly a string and cannot accept MongoDB query 22 operator objects. 23 references: 24 - https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg 25 - https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d 26 - https://github.com/labring/FastGPT/releases/tag/v4.14.9.5 27 - https://nvd.nist.gov/vuln/detail/CVE-2026-40351 28 rule: version < "4.14.9.5" 29 references: 30 - https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg 31 - https://nvd.nist.gov/vuln/detail/CVE-2026-40351