CVE-2026-42302

Source
https://cve.org/CVERecord?id=CVE-2026-42302
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42302.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42302
Aliases
  • GHSA-34rc-438g-7w78
Published
2026-05-08T22:05:49.460Z
Modified
2026-07-08T08:13:14.690054723Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox
Details

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42302.json"
}
References

Affected packages

Git / github.com/labring/fastgpt

Affected ranges

Type
GIT
Repo
https://github.com/labring/fastgpt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.14.10"
        },
        {
            "fixed": "4.14.13"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

4.*
4.8.9-alpha
Other
delete
v0.*
v0.9
v1.*
v1.2
v1.4
v2.*
v2.0
v2.1
v2.2
v2.3
v2.4
v2.5
v2.6
v2.7
v2.7.1
v2.7.2
v2.8
v2.8.5
v2.9
v3.*
v3.0
v3.1
v3.2
v3.3
v3.4
v3.5
v3.7
v3.7.1
v3.7.3
v3.8
v3.8.1
v3.8.3
v3.8.4
v3.8.5
v3.8.6
v3.8.7
v3.8.8
v3.8.9
v3.9
v3.9.1
v3.9.2
v3.9.3
v3.9.4
v4.*
v4.0-beta
v4.10.0
v4.10.0-fix
v4.10.1
v4.10.1-alpha
v4.10.1-fix
v4.10.1-fix2
v4.10.1-fix3
v4.11.0
v4.11.1
v4.11.1-fix
v4.11.1-fix2
v4.11.1-fix3
v4.12.0
v4.12.1
v4.12.1-fix
v4.12.2
v4.12.2-fix
v4.12.2-fix2
v4.12.2-fix3
v4.12.3
v4.12.4
v4.13.0
v4.13.0-fix
v4.13.1
v4.13.2
v4.14.0
v4.14.0-fix
v4.14.1
v4.14.10.1
v4.14.10.2
v4.14.10.3
v4.14.10.4
v4.14.11
v4.14.12
v4.14.2
v4.14.2-fix
v4.14.3
v4.14.4
v4.14.4-cve
v4.14.5-fix
v4.14.5.1
v4.14.6
v4.14.6.1
v4.14.7
v4.14.7.1
v4.14.7.2
v4.14.8
v4.14.8.1
v4.14.8.2
v4.14.8.3
v4.14.9
v4.14.9.1
v4.14.9.2
v4.14.9.3
v4.14.9.4
v4.14.9.5
v4.2
v4.2.1
v4.2.2
v4.3
v4.4.2
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.5
v4.5.1
v4.5.2
v4.6
v4.6.1
v4.6.1-alpha
v4.6.2
v4.6.2-alpha
v4.6.3
v4.6.3-alpha
v4.6.4
v4.6.4-alpha
v4.6.5
v4.6.5-alpha
v4.6.5-alpha2
v4.6.6
v4.6.6-alpha
v4.6.6-alpha2
v4.6.7
v4.6.7-alpha
v4.6.7-fix
v4.6.8
v4.6.8-alpha
v4.6.9
v4.6.9-alpha
v4.6.9-alpha2
v4.7
v4.7-alpha
v4.7-alpha2
v4.7-alpha3
v4.7.1
v4.7.1-alpha
v4.7.1-alpha2
v4.7.1-alpha3
v4.7.1-fix
v4.7.1-fix2
v4.8
v4.8-alpha
v4.8-alpha2
v4.8-alpha3
v4.8-preview
v4.8-preview2
v4.8-preview3
v4.8-preview4
v4.8.1
v4.8.1-alpha
v4.8.10
v4.8.10-alpha
v4.8.10-alpha2
v4.8.10-fix
v4.8.10-fix2
v4.8.11
v4.8.11-alpha
v4.8.11-alpha2
v4.8.11-beta
v4.8.11-fix
v4.8.12
v4.8.12-alpha
v4.8.12-beta
v4.8.12-fix
v4.8.13
v4.8.13-fix
v4.8.14
v4.8.14-alpha
v4.8.14-fix
v4.8.14-milvus-fix
v4.8.15
v4.8.15-alpha
v4.8.15-alpha2
v4.8.15-alpha3
v4.8.15-fix
v4.8.15-fix-emb-page
v4.8.15-fix2
v4.8.15-fix3
v4.8.16
v4.8.16-alpha
v4.8.16-beta
v4.8.17
v4.8.17-alpha
v4.8.17-fix-title
v4.8.18
v4.8.18-fix
v4.8.18-fix2
v4.8.19
v4.8.19-beta
v4.8.2
v4.8.20-fix
v4.8.20-fix2
v4.8.21
v4.8.21-fix
v4.8.22
v4.8.22-alpha
v4.8.23
v4.8.23-alpha
v4.8.23-fix
v4.8.23-fix2
v4.8.3
v4.8.4
v4.8.4-alpha
v4.8.4-fix
v4.8.5
v4.8.5-alpha
v4.8.6
v4.8.6-alpha
v4.8.6-alpha2
v4.8.7
v4.8.7-alpha
v4.8.7-alpha2
v4.8.8
v4.8.8-alpha
v4.8.8-alpha2
v4.8.8-fix
v4.8.8-fix2
v4.8.9
v4.8.9-alpha
v4.8.9-test
v4.9.0
v4.9.0-fix
v4.9.0-fix2
v4.9.1-fix
v4.9.1-fix2
v4.9.10
v4.9.10-alpha
v4.9.10-fix
v4.9.10-fix2
v4.9.11
v4.9.11-alpha
v4.9.12
v4.9.12-alpha
v4.9.13
v4.9.14
v4.9.14-fix
v4.9.2
v4.9.3
v4.9.4
v4.9.5
v4.9.5-alpha
v4.9.6
v4.9.6-alpha
v4.9.7
v4.9.7-alpha
v4.9.7-fix
v4.9.7-fix2
v4.9.8
v4.9.8-alpha
v4.9.9
v4.9.9-alpha

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42302.json"