CVE-2026-40252

High

Published: 10 April 2026

Published

10 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0005 15.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40252 is a high-severity Improper Access Control (CWE-284) vulnerability in Fastgpt Fastgpt. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly mandates enforcement of approved authorizations for logical access to resources like applications, addressing the failure to verify team ownership of the requested appId.

AC-24 Access Control Decisions good match

prevent

Requires explicit automated access control decisions for specific system resources such as applications, preventing IDOR/BOLA exploitation via foreign appIds.

AC-6 Least Privilege partial match

prevent

Principle of least privilege restricts access to only team-owned applications, mitigating unauthorized cross-tenant execution of private AI workflows.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Broken access control (IDOR/BOLA) in public-facing API allows network exploitation by authenticated users to access/execute unauthorized cross-tenant resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team…

token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4.

Deeper analysisAI

CVE-2026-40252 is a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR) or Broken Object Level Authorization (BOLA), affecting FastGPT, an AI Agent building platform, in versions prior to 4.14.10.4. The flaw occurs in the API, which correctly validates the team token for authentication but fails to verify that the requested application belongs to the authenticated team when a foreign appId is supplied. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Any authenticated user belonging to one team can exploit this vulnerability over the network with low complexity and no user interaction required. By providing an appId from another team, the attacker gains unauthorized access to execute that team's applications, resulting in cross-tenant data exposure and the ability to run private AI workflows without permission.

The vulnerability is addressed in FastGPT version 4.14.10.4. Additional details on the fix and mitigation are available in the GitHub security advisory at https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw and the release notes at https://github.com/labring/FastGPT/releases/tag/v4.14.10.4.

Details

CWE(s): CWE-284 CWE-639

Affected Products

fastgpt

≤ 4.14.10.4

AI Security AnalysisAI

AI Category: APIs and Models
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai, ai

CVEs Like This One

CVE-2026-40351Same product: Fastgpt Fastgpt

CVE-2026-40352Same product: Fastgpt Fastgpt

CVE-2026-34162Same product: Fastgpt Fastgpt

CVE-2026-34163Same product: Fastgpt Fastgpt

CVE-2026-33075Same product: Fastgpt Fastgpt

CVE-2026-31874Shared CWE-284, CWE-639

CVE-2026-25758Shared CWE-284, CWE-639

CVE-2025-62166Shared CWE-284, CWE-639

CVE-2026-21447Shared CWE-284, CWE-639

CVE-2026-20897Shared CWE-284, CWE-639

References

https://github.com/labring/FastGPT/releases/tag/v4.14.10.4
Release Notes · security-advisories@github.com
https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw
Vendor Advisory · security-advisories@github.com