Cyber Resilience

CVE-2026-40252

Medium

Published: 10 April 2026

Published
10 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-40252 is a medium-severity Improper Access Control (CWE-284) vulnerability in Fastgpt Fastgpt. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-40252 is a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR) or Broken Object Level Authorization (BOLA), affecting FastGPT, an AI Agent building platform, in versions prior to 4.14.10.4. The flaw occurs in the API, which correctly validates the team token for authentication but fails to verify that the requested application belongs to the authenticated team when a foreign appId is supplied. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Any authenticated user belonging to one team can exploit this vulnerability over the network with low complexity and no user interaction required. By providing an appId from another team, the attacker gains unauthorized access to execute that team's applications, resulting in cross-tenant data exposure and the ability to run private AI workflows without permission.

The vulnerability is addressed in FastGPT version 4.14.10.4. Additional details on the fix and mitigation are available in the GitHub security advisory at https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw and the release notes at https://github.com/labring/FastGPT/releases/tag/v4.14.10.4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team…

more

token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Broken access control (IDOR/BOLA) in public-facing API allows network exploitation by authenticated users to access/execute unauthorized cross-tenant resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40351Same product: Fastgpt Fastgpt
CVE-2026-40352Same product: Fastgpt Fastgpt
CVE-2026-34162Same product: Fastgpt Fastgpt
CVE-2026-33075Same product: Fastgpt Fastgpt
CVE-2026-34163Same product: Fastgpt Fastgpt
CVE-2026-31874Shared CWE-284, CWE-639
CVE-2026-41277Shared CWE-284, CWE-639
CVE-2026-45398Shared CWE-639
CVE-2026-41947Shared CWE-639
CVE-2025-41258Shared CWE-284

Affected Assets

fastgpt
fastgpt
≤ 4.14.10.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates enforcement of approved authorizations for logical access to resources like applications, addressing the failure to verify team ownership of the requested appId.

prevent

Requires explicit automated access control decisions for specific system resources such as applications, preventing IDOR/BOLA exploitation via foreign appIds.

prevent

Principle of least privilege restricts access to only team-owned applications, mitigating unauthorized cross-tenant execution of private AI workflows.

References