Critical severity9.8NVD Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-42302

Description

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13.

Affected products

Labring/Fastgptinferred
Range: >=4.14.10,<4.14.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/labring/FastGPT/commit/9d1cafce9241430fb5bcdd646455055c5f4ae0a4nvd
github.com/labring/FastGPT/pull/6781nvd
github.com/labring/FastGPT/releases/tag/v4.14.13nvd
github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000