Auth bypass in Labring Fastgpt

CVE-2026-40252

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the…

EPSS: 0.000 (6.0th percentile) — read the EPSS interpretation.

Affected products

Labring Fastgpt — versions < 4.14.10.4

Weakness classification (CWE)

References

https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw (x_refsource_CONFIRM)
https://github.com/labring/FastGPT/releases/tag/v4.14.10.4 (x_refsource_MISC)