FastGPT, an AI agent building platform, has critical security vulnerabilities that allow unauthenticated attackers to bypass password-based login and authenticated attackers to bypass password verification through NoSQL injection.

🔴 CVE-2026-40351 - Critical (9.8) FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40351/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-40352 - High (8.8) FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40352/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack