Unauthorized Access Vulnerability in FastGPT AI Agent Building Platform
CVE-2026-26003

6.9MEDIUM

Key Information:

Vendor

Labring

Status
Fastgpt
Vendor
CVE Published:
10 February 2026

What is CVE-2026-26003?

FastGPT, an AI agent building platform, has a vulnerability that affects versions 4.14.0 to 4.14.5. Attackers can exploit this flaw to access the plugin system at FastGPT/api/plugin/xxx without authentication. This unauthorized access may lead to plugin system crashes and loss of plugin installation status. However, it does not facilitate key leakage. Users of earlier versions face minimal risk, as their interfaces primarily allow information retrieval, presenting negligible impact. Mitigation has been provided in version 4.14.5-fix.

Affected Version(s)

FastGPT >= 4.14.0, < 4.14.5-fix

References

https://github.com/labring/FastGPT/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/labring/FastGPT/commit/0beb52a2f3dc406...
x_refsource_MISC
https://github.com/labring/FastGPT/releases/tag/v4.14.5-fix
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.