Remote Code Execution Vulnerability in FastGPT AI Agent Building Platform
CVE-2026-42302

9.8CRITICAL

Key Information:

Vendor

Labring

Status
Fastgpt
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42302?

The agent-sandbox component of FastGPT, an AI Agent building platform, is susceptible to unauthenticated Remote Code Execution. This vulnerability arises from the entrypoint script initializing the code-server with the --auth none flag and exposing the service on all network interfaces (0.0.0.0:8080). As a consequence, any individual with network access to this port can bypass authentication, granting them unfettered control over the sandbox environment. The issue has been addressed in FastGPT version 4.14.13, highlighting the importance of upgrading to safeguard systems from potential exploitation.

Affected Version(s)

FastGPT >= 4.14.10, < 4.14.13

References

https://github.com/labring/FastGPT/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/labring/FastGPT/pull/6781
x_refsource_MISC
https://github.com/labring/FastGPT/commit/9d1cafce9241430...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.