CVE-2026-40351
Received Received - Intake
NoSQL Injection in FastGPT Allows Unauthorized Root Login

Publication date: 2026-04-17

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40351
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastgpt fastgpt to 4.14.9.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an unauthenticated attacker to bypass password authentication and gain access as any user, including the root administrator. Such unauthorized access can lead to exposure, modification, or deletion of sensitive data.

Consequently, this poses a significant risk to compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive personal and health information.

Failure to prevent unauthorized access could result in violations of these regulations, potentially leading to legal penalties, data breaches, and loss of trust.

Executive Summary

This vulnerability exists in FastGPT versions prior to 4.14.9.5. The password-based login endpoint uses TypeScript type assertion without runtime validation, which allows an unauthenticated attacker to pass a MongoDB query operator object (such as {"$ne": ""}) as the password field. This leads to a NoSQL injection that bypasses the password check, enabling the attacker to log in as any user, including the root administrator.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated attacker to bypass authentication controls and gain access to any user account, including the root administrator. This can lead to full system compromise, unauthorized data access, data modification, and disruption of services.

Mitigation Strategies

To mitigate this vulnerability, upgrade FastGPT to version 4.14.9.5 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart