CVE-2026-40351
FastGPT · AI Agent building platform
FastGPT versions prior to 4.14.9.5 are vulnerable to NoSQL injection in the login endpoint, allowing unauthenticated attackers to bypass authentication and gain administrative access.
Executive summary
A critical NoSQL injection vulnerability in FastGPT prior to version 4.14.9.5 allows unauthenticated attackers to bypass password validation and gain full administrative control.
Vulnerability
The login endpoint utilizes insecure TypeScript type assertion, enabling an unauthenticated attacker to inject a MongoDB query operator (e.g., "$ne") into the password field. This forces the database to return a successful authentication result without a valid password.
Business impact
This vulnerability carries a CVSS score of 9.8, reflecting the ease of exploit and the catastrophic impact of unauthorized administrative access. Successful exploitation could lead to full platform takeover, data exfiltration, and the manipulation of AI agents, causing severe reputational damage and operational disruption.
Remediation
Immediate Action: Update FastGPT to version 4.14.9.5 or higher to implement proper runtime validation of user input.
Proactive Monitoring: Inspect authentication logs for anomalous login attempts, specifically looking for JSON-like syntax or MongoDB query operators in password fields.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common NoSQL injection patterns in request bodies.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk posed by this authentication bypass is extreme. Administrators must apply the provided patch immediately and conduct a thorough audit of account activity to ensure no unauthorized administrative actions were performed during the vulnerable period.