<0.1% probability · 21.0th percentile — 2026-05-12
Affected versions
FastGPT versions prior to 4.14.9.5
Summary
FastGPT is a widely used open-source AI Agent building platform. The password-based login endpoint lacks runtime input validation, allowing unauthenticated attackers to bypass password checks via NoSQL injection with MongoDB query operators. Successful exploitation grants attackers full root administrator access to the platform. The vulnerability is fixed in version 4.14.9.5.
Remediation
Organizations running affected FastGPT versions should immediately upgrade to the fixed version 4.14.9.5. If immediate upgrade is not possible, restrict unauthenticated access to the login endpoint via network access controls. Audit all platform accounts for unauthorized access after patching.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.