CVE-2026-42302
CriticalSummary
FastGPT is an AI Agent building platform that from version 4.14.10 to before 4.14.13 has a vulnerability in the agent-sandbox component. It allows unauthenticated Remote Code Execution (RCE) due to lack of authentication.
Risk Assessment
The organization is at risk of unauthorized users gaining full control over the sandbox environment, potentially leading to serious security breaches.
Recommendation
It is recommended to upgrade to version 4.14.13 or later to mitigate this vulnerability and restrict access to port 8080.
Original NVD description (English source)
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13.

