CVE-2026-40351

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.14.9.5

Description The password-based login endpoint uses TypeScript type assertion without runtime validation. This allows an unauthenticated attacker to use a MongoDB query operator object, such as {"$ne": ""}, in the password field. This NoSQL injection—a technique where an attacker uses database-specific syntax to manipulate queries—bypasses authentication checks, enabling unauthorized access to any user account, including the root administrator.

Recommendations Update to version 4.14.9.5.