CVE-2026-40351: FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScri
Summary
FastGPT, an AI Agent building platform, has a NoSQL injection vulnerability (a type of attack where an attacker tricks the database query by inserting special commands) in its login system before version 4.14.9.5. The vulnerability allows unauthenticated attackers to bypass password checks and log in as any user, including administrators, by sending database operators instead of a real password.
Solution / Mitigation
This issue has been fixed in version 4.14.9.5. Users should upgrade to this version or later.
Vulnerability Details
9.8(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
network
low
none
none
April 17, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40351
First tracked: April 17, 2026 at 08:10 PM
Classified by LLM (prompt v3) · confidence: 92%