CVE-2026-26003 Overview
CVE-2026-26003 is an authentication bypass vulnerability in FastGPT, an AI Agent building platform. The vulnerability allows attackers to directly access the plugin system through the /api/plugin/xxx endpoint without proper authentication, potentially causing plugin system crashes and loss of plugin installation status.
Critical Impact
Unauthenticated access to the FastGPT plugin system can lead to denial of service conditions and plugin state corruption, though sensitive key material is not exposed.
Affected Products
- FastGPT versions 4.14.0 through 4.14.5
- FastGPT marketplace API endpoints
- FastGPT plugin system API endpoints
Discovery Timeline
- 2026-02-10 - CVE-2026-26003 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-26003
Vulnerability Analysis
This vulnerability stems from missing authentication controls on the plugin API endpoints in FastGPT. The /api/plugin/[...pluginRequestPath].ts and /api/marketplace/[...path].ts routes lacked proper authorization checks, allowing any unauthenticated user to interact with the plugin system. The vulnerable code directly proxied requests to the plugin backend (PLUGIN_BASE_URL) using a static PLUGIN_TOKEN without first verifying the caller's identity or permissions.
The attack is network-accessible with low complexity, requiring no user interaction or special privileges. While the vulnerability does not result in direct key leakage or confidentiality breaches, it enables attackers to manipulate the plugin system state, potentially crashing the plugin service and corrupting plugin installation records.
Root Cause
The root cause is a missing authentication check (CWE-601) on sensitive API routes. The original implementation of the plugin proxy endpoint forwarded requests to the internal plugin service without verifying that the requesting user had administrative privileges. The marketplace endpoint similarly lacked authorization controls, allowing unauthenticated access to plugin management operations.
Attack Vector
An attacker can exploit this vulnerability by sending direct HTTP requests to the FastGPT plugin API endpoints. The attack requires only network access to the FastGPT instance—no authentication credentials, user interaction, or special conditions are needed. By crafting requests to /api/plugin/xxx or /api/marketplace/xxx, attackers can:
- Enumerate available plugins and their configuration
- Trigger plugin state changes without authorization
- Cause denial of service by overwhelming the plugin system
- Corrupt plugin installation status, affecting system functionality
// Vulnerable code - plugin proxy without authentication (REMOVED in fix)
// Source: https://github.com/labring/FastGPT/commit/0beb52a2f3dc4067aab011cc98122d1352823b0c
-import type { ApiRequestProps, ApiResponseType } from '@fastgpt/service/type/next';
-import { PLUGIN_BASE_URL, PLUGIN_TOKEN } from '@fastgpt/service/thirdProvider/fastgptPlugin';
-
-export type PluginQuery = {
- pluginRequestPath: string[];
-};
-export type PluginBody = {};
-export type PluginResponse = {};
-
-async function handler(req: ApiRequestProps<PluginBody, PluginQuery>, res: ApiResponseType<any>) {
- const { pluginRequestPath } = req.query;
- const urlObj = new URL(pluginRequestPath.join('/'), PLUGIN_BASE_URL);
- Object.entries(req.query).forEach(([key, value]) => {
- if (key !== 'pluginRequestPath') {
- urlObj.searchParams.set(key, String(value));
- }
- });
- const body =
- req.method?.toUpperCase() === 'POST' || req.method === 'PUT'
- ? JSON.stringify(req.body)
- : undefined;
- const pluginRes = await fetch(urlObj.toString(), {
- method: req.method,
- body,
- headers: {
- authtoken: PLUGIN_TOKEN,
- 'Content-Type': 'application/json'
- }
- });
- res.status(pluginRes.status);
Source: GitHub Commit 0beb52a
Detection Methods for CVE-2026-26003
Indicators of Compromise
- Unusual HTTP requests to /api/plugin/* or /api/marketplace/* endpoints from unauthenticated sources
- High volume of API calls to plugin endpoints without corresponding user session data
- Plugin system crashes or unexpected restarts coinciding with external API traffic
- Plugin installation status changes without administrative action in audit logs
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on unauthorized access attempts to /api/plugin/ and /api/marketplace/ paths
- Enable detailed access logging for all API endpoints and review for requests lacking authentication headers
- Configure intrusion detection systems (IDS) to flag repeated requests to plugin management endpoints from external IP addresses
- Monitor application logs for authentication failures or bypasses on administrative routes
Monitoring Recommendations
- Set up real-time alerting for HTTP 200 responses on plugin API routes from non-authenticated sessions
- Track plugin system health metrics and correlate anomalies with network traffic patterns
- Implement rate limiting on plugin endpoints to detect and mitigate enumeration or DoS attempts
- Regularly audit API endpoint configurations to ensure authentication requirements are enforced
How to Mitigate CVE-2026-26003
Immediate Actions Required
- Upgrade FastGPT to version 4.14.5-fix or later immediately
- Review access logs for evidence of exploitation attempts against plugin endpoints
- Temporarily restrict network access to FastGPT instances if immediate patching is not possible
- Verify plugin installation states after patching to ensure integrity
Patch Information
The vulnerability is fixed in FastGPT version 4.14.5-fix. The patch adds proper authentication by implementing the authSystemAdmin middleware check before processing plugin and marketplace API requests. The fix ensures only authenticated system administrators can access these sensitive endpoints.
// Fixed code - authentication added to marketplace endpoint
// Source: https://github.com/labring/FastGPT/commit/0beb52a2f3dc4067aab011cc98122d1352823b0c
import type { NextApiRequest, NextApiResponse } from 'next';
import { jsonRes } from '@fastgpt/service/common/response';
import { Readable } from 'stream';
+import { authSystemAdmin } from '@fastgpt/service/support/permission/user/auth';
export default async function handler(req: NextApiRequest, res: NextApiResponse) {
try {
+ await authSystemAdmin({ req });
const { path = [], ...query } = req.query as any;
const queryStr = new URLSearchParams(query).toString();
Source: GitHub Commit 0beb52a
For detailed patch information, see the GitHub Security Advisory GHSA-wcrg-g824-9gfg and release notes for v4.14.5-fix.
Workarounds
- Place FastGPT behind a reverse proxy that enforces authentication for /api/plugin/* and /api/marketplace/* routes
- Implement network segmentation to restrict access to the FastGPT application to trusted internal networks only
- Use firewall rules to block external access to plugin management endpoints until patching can be completed
- Disable the plugin system temporarily if it is not critical to operations
# Example nginx configuration to block unauthenticated plugin API access
location /api/plugin/ {
# Deny all external access until patch is applied
deny all;
# Or restrict to admin IP addresses only
# allow 10.0.0.0/8;
# deny all;
}
location /api/marketplace/ {
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
