← Zuruck zu CVEs
CVE-2026-40352
HIGH8.8
Beschreibung
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5.
CVE Details
CVSS v3.1 Bewertung8.8
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht4/17/2026
Zuletzt geandert4/20/2026
Quellenvd
Honeypot-Sichtungen0
Schwachen (CWE)
CWE-943
Referenzen
https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d(security-advisories@github.com)
https://github.com/labring/FastGPT/releases/tag/v4.14.9.5(security-advisories@github.com)
https://github.com/labring/FastGPT/security/advisories/GHSA-422w-vrfj-72g6(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.