CVE-2026-42302
Received Received - Intake

Unauthenticated Remote Code Execution in FastGPT Agent-Sandbox

Vulnerability report for CVE-2026-42302, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-07-09
AI Q&A
2026-05-09
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fastgpt agent_sandbox From 4.14.10 (inc) to 4.14.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the agent-sandbox component of FastGPT versions from 4.14.10 up to but not including 4.14.13. The startup script entrypoint.sh starts code-server with the --auth none flag and binds it to all network interfaces on port 8080. This means that anyone with network access to this port can bypass authentication and execute arbitrary code remotely within the sandbox environment.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to gain full control over the sandbox environment by executing arbitrary code. This can lead to complete compromise of the affected system, including unauthorized access, data theft, data manipulation, or disruption of services.

Detection Guidance

The vulnerability exists because the agent-sandbox component of FastGPT runs code-server with the --auth none flag and binds to all network interfaces on port 8080, allowing unauthenticated access.

To detect this vulnerability on your network or system, you can check if the service is listening on port 8080 without authentication.

  • Use a network scanning tool like nmap to check if port 8080 is open and accessible: nmap -p 8080 <target-ip>
  • Attempt to access the service via a web browser or curl to see if authentication is required: curl http://<target-ip>:8080
  • On the host, check the startup script entrypoint.sh or running processes for code-server launched with the --auth none flag.
Mitigation Strategies

The vulnerability has been patched in FastGPT version 4.14.13.

Immediate mitigation steps include:

  • Upgrade FastGPT to version 4.14.13 or later where the issue is fixed.
  • If upgrading is not immediately possible, restrict network access to port 8080 to trusted users only, for example by firewall rules or network segmentation.
  • Modify the startup script to remove the --auth none flag or configure authentication for code-server.
  • Monitor network traffic and logs for any suspicious activity targeting port 8080.
Compliance Impact

The vulnerability allows unauthenticated remote code execution, enabling any user with network access to gain full control over the sandbox environment. This could lead to unauthorized access, data breaches, and potential manipulation or exfiltration of sensitive data.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

However, the provided information does not explicitly state the impact on compliance or mention specific regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42302. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart