CVE-2026-26003: FastGPT Auth Bypass Vulnerability

CVE-2026-26003 Overview

CVE-2026-26003 is an authentication bypass vulnerability in FastGPT, an AI Agent building platform. The vulnerability allows attackers to directly access the plugin system through the /api/plugin/xxx endpoint without proper authentication, potentially causing plugin system crashes and loss of plugin installation status.

Critical Impact
Unauthenticated access to the FastGPT plugin system can lead to denial of service conditions and plugin state corruption, though sensitive key material is not exposed.

Affected Products

FastGPT versions 4.14.0 through 4.14.5
FastGPT marketplace API endpoints
FastGPT plugin system API endpoints

Discovery Timeline

2026-02-10 - CVE-2026-26003 published to NVD
2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-26003

Vulnerability Analysis

This vulnerability stems from missing authentication controls on the plugin API endpoints in FastGPT. The /api/plugin/[...pluginRequestPath].ts and /api/marketplace/[...path].ts routes lacked proper authorization checks, allowing any unauthenticated user to interact with the plugin system. The vulnerable code directly proxied requests to the plugin backend (PLUGIN_BASE_URL) using a static PLUGIN_TOKEN without first verifying the caller's identity or permissions.

The attack is network-accessible with low complexity, requiring no user interaction or special privileges. While the vulnerability does not result in direct key leakage or confidentiality breaches, it enables attackers to manipulate the plugin system state, potentially crashing the plugin service and corrupting plugin installation records.

Root Cause

The root cause is a missing authentication check (CWE-601) on sensitive API routes. The original implementation of the plugin proxy endpoint forwarded requests to the internal plugin service without verifying that the requesting user had administrative privileges. The marketplace endpoint similarly lacked authorization controls, allowing unauthenticated access to plugin management operations.

Attack Vector

An attacker can exploit this vulnerability by sending direct HTTP requests to the FastGPT plugin API endpoints. The attack requires only network access to the FastGPT instance—no authentication credentials, user interaction, or special conditions are needed. By crafting requests to /api/plugin/xxx or /api/marketplace/xxx, attackers can:

Enumerate available plugins and their configuration
Trigger plugin state changes without authorization
Cause denial of service by overwhelming the plugin system
Corrupt plugin installation status, affecting system functionality

typescript

// Vulnerable code - plugin proxy without authentication (REMOVED in fix)
// Source: https://github.com/labring/FastGPT/commit/0beb52a2f3dc4067aab011cc98122d1352823b0c

-import type { ApiRequestProps, ApiResponseType } from '@fastgpt/service/type/next';
-import { PLUGIN_BASE_URL, PLUGIN_TOKEN } from '@fastgpt/service/thirdProvider/fastgptPlugin';
-
-export type PluginQuery = {
-  pluginRequestPath: string[];
-};
-export type PluginBody = {};
-export type PluginResponse = {};
-
-async function handler(req: ApiRequestProps<PluginBody, PluginQuery>, res: ApiResponseType<any>) {
-  const { pluginRequestPath } = req.query;
-  const urlObj = new URL(pluginRequestPath.join('/'), PLUGIN_BASE_URL);
-  Object.entries(req.query).forEach(([key, value]) => {
-    if (key !== 'pluginRequestPath') {
-      urlObj.searchParams.set(key, String(value));
-    }
-  });
-  const body =
-    req.method?.toUpperCase() === 'POST' || req.method === 'PUT'
-      ? JSON.stringify(req.body)
-      : undefined;
-  const pluginRes = await fetch(urlObj.toString(), {
-    method: req.method,
-    body,
-    headers: {
-      authtoken: PLUGIN_TOKEN,
-      'Content-Type': 'application/json'
-    }
-  });
-  res.status(pluginRes.status);

Source: GitHub Commit 0beb52a

Detection Methods for CVE-2026-26003

Indicators of Compromise

Unusual HTTP requests to /api/plugin/* or /api/marketplace/* endpoints from unauthenticated sources
High volume of API calls to plugin endpoints without corresponding user session data
Plugin system crashes or unexpected restarts coinciding with external API traffic
Plugin installation status changes without administrative action in audit logs

Detection Strategies

Implement web application firewall (WAF) rules to monitor and alert on unauthorized access attempts to /api/plugin/ and /api/marketplace/ paths
Enable detailed access logging for all API endpoints and review for requests lacking authentication headers
Configure intrusion detection systems (IDS) to flag repeated requests to plugin management endpoints from external IP addresses
Monitor application logs for authentication failures or bypasses on administrative routes

Monitoring Recommendations

Set up real-time alerting for HTTP 200 responses on plugin API routes from non-authenticated sessions
Track plugin system health metrics and correlate anomalies with network traffic patterns
Implement rate limiting on plugin endpoints to detect and mitigate enumeration or DoS attempts
Regularly audit API endpoint configurations to ensure authentication requirements are enforced

How to Mitigate CVE-2026-26003

Immediate Actions Required

Upgrade FastGPT to version 4.14.5-fix or later immediately
Review access logs for evidence of exploitation attempts against plugin endpoints
Temporarily restrict network access to FastGPT instances if immediate patching is not possible
Verify plugin installation states after patching to ensure integrity

Patch Information

The vulnerability is fixed in FastGPT version 4.14.5-fix. The patch adds proper authentication by implementing the authSystemAdmin middleware check before processing plugin and marketplace API requests. The fix ensures only authenticated system administrators can access these sensitive endpoints.