AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-40352: FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to N

highvulnerability

security

Source: NVD/CVE DatabaseApril 17, 2026CVE-2026-40352

Summary

FastGPT, an AI Agent building platform, has a vulnerability in its password change feature in versions before 4.14.9.5 where attackers can use NoSQL injection (inserting MongoDB operators into input fields to manipulate database queries) to bypass password verification and take over accounts without knowing the current password.

Solution / Mitigation

Update FastGPT to version 4.14.9.5 or later, where this issue has been fixed.

Vulnerability Details

CVSS Score

8.8(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

April 17, 2026

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-943

Affected Vendors

LangChain

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendor

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40352

First tracked: April 17, 2026 at 08:10 PM

Classified by LLM (prompt v3) · confidence: 85%