CVE-2026-42302: FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of
Summary
FastGPT versions 4.14.10 through 4.14.12 have a critical vulnerability in their agent-sandbox component that allows unauthenticated Remote Code Execution (RCE, where attackers can run commands on a system they don't own). The startup script runs code-server (a web-based code editor) with authentication disabled and opens it to all network interfaces, meaning anyone who can reach the server's port 8080 can take complete control of the sandbox environment.
Solution / Mitigation
Update to FastGPT version 4.14.13 or later, as this issue has been patched in that version.
Vulnerability Details
9.8(critical)
EPSS: 0.3%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
network
low
none
none
May 8, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42302
First tracked: May 9, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 92%