← Volver a CVEs
CVE-2026-26003
MEDIUM5.4
Descripcion
FastGPT is an AI Agent building platform. From 4.14.0 to 4.14.5, attackers can directly access the plugin system through FastGPT/api/plugin/xxx without authentication, thereby threatening the plugin system. This may cause the plugin system to crash and the loss of plugin installation status, but it will not result in key leakage. For older versions, as there are only operation interfaces for obtaining information, the impact is almost negligible. This vulnerability is fixed in 4.14.5-fix.
Detalles CVE
Puntuacion CVSS v3.15.4
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado2/10/2026
Ultima modificacion2/23/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
fastgpt:fastgpt
Debilidades (CWE)
CWE-601CWE-601
Referencias
https://github.com/labring/FastGPT/commit/0beb52a2f3dc4067aab011cc98122d1352823b0c(security-advisories@github.com)
https://github.com/labring/FastGPT/releases/tag/v4.14.5-fix(security-advisories@github.com)
https://github.com/labring/FastGPT/security/advisories/GHSA-wcrg-g824-9gfg(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.