NoSQL Injection Vulnerability in FastGPT AI Agent Building Platform
CVE-2026-40352

8.8HIGH

Key Information:

Vendor

Labring

Status
Fastgpt
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40352?

The FastGPT AI Agent building platform has a significant flaw in its password change endpoint, affecting versions before 4.14.9.5. This vulnerability allows authenticated attackers to exploit NoSQL injection techniques to bypass old password validation, enabling them to change their account password indiscriminately. If combined with ID manipulation, the attacker can also manipulate other accounts. The issue underscores the importance of secure coding practices and has been resolved in the latest patch, version 4.14.9.5.

Affected Version(s)

FastGPT < 4.14.9.5

References

https://github.com/labring/FastGPT/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/labring/FastGPT/commit/bd966d479fbe414...
x_refsource_MISC
https://github.com/labring/FastGPT/releases/tag/v4.14.9.5
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.