FastGPT Patches Two NoSQL Injection Flaws That Allowed Unauthenticated Admin Takeover of AI Agent Platform

FastGPT, the open-source AI agent building platform with 26,500 GitHub stars, patched two NoSQL injection vulnerabilities on April 17 that together formed a complete takeover chain. An unauthenticated attacker could log in as the root administrator with a single crafted HTTP request, then lock out every other account on the instance. Both flaws are fixed in version 4.14.9.5.

The Two Vulnerabilities

The first flaw, CVE-2026-40351, carries a CVSS score of 9.8 (Critical). FastGPT’s password-based login endpoint used a TypeScript type assertion (as PostLoginProps) without runtime validation, according to the GitHub security advisory. An attacker could pass a MongoDB query operator object like {"$ne": ""} as the password field instead of a string. The database would then execute a query matching any non-empty password for the target username, bypassing authentication entirely.

The proof of concept published in the advisory is a single curl command targeting the /api/support/user/account/loginByPassword endpoint with "password": {"$ne": "invalid"} in the JSON body. No credentials, no tokens, no prior access required.

The second flaw, CVE-2026-40352, carries a CVSS score of 8.8 (High). The same class of NoSQL injection existed in the password change endpoint. An authenticated attacker could bypass the “old password” verification using the same MongoDB operator injection, then change any account’s password without knowing the current one. Combined with ID manipulation, this enabled full account takeover and persistence, according to the CIRCL vulnerability entry.

The Attack Chain

Chained together, the two CVEs created a straightforward escalation path: use CVE-2026-40351 to log in as root without credentials, then use CVE-2026-40352 to change the root password (and any other account’s password) to lock out legitimate administrators and maintain persistent access. Both vulnerabilities were reserved on April 10 and published on April 17, with the patch commit addressing both issues simultaneously.

The Root Cause: TypeScript Types Are Not Runtime Validation

Both vulnerabilities share an identical root cause. FastGPT used TypeScript’s compile-time type system as though it provided runtime input validation. The login handler cast incoming request bodies with as PostLoginProps, which tells the TypeScript compiler to treat the data as a specific type but does nothing at execution time. When a JSON parser produces an object where the application expects a string, MongoDB interprets that object as a query operator.

The fix recommended in the advisory is a schema validation library like Zod that enforces type constraints at runtime: z.object({ username: z.string(), password: z.string() }). This is a pattern any team accepting JSON input into a MongoDB query should audit for.

The Pattern for Agent Platform Builders

NoSQL injection via MongoDB query operators is not new. It appears in the OWASP Testing Guide and has been documented for over a decade. What makes this case relevant for agent platform operators is the blast radius: FastGPT instances host AI agent workflows, knowledge bases, and RAG pipelines. Root admin access means access to every agent configuration, every connected data source, and every API key stored in the platform.

Self-hosted FastGPT deployments running versions prior to 4.14.9.5 should update immediately. Teams building on any Node.js/TypeScript stack with MongoDB should audit every endpoint where user input flows into a database query, and verify that runtime validation (not just TypeScript types) enforces string constraints on fields like passwords, tokens, and identifiers.