https://feed.craftedsignal.io/tags/nosql-injection/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 18 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-fastgpt-nosql-injection/Sat, 18 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-fastgpt-nosql-injection/FastGPT versions before 4.14.9.5 are vulnerable to NoSQL injection, allowing unauthenticated attackers to bypass authentication and gain administrative access.FastGPT is an AI Agent building platform. Versions prior to 4.14.9.5 are susceptible to a critical NoSQL injection vulnerability (CVE-2026-40351) affecting the password-based login endpoint. The vulnerability stems from the use of TypeScript type assertion without runtime validation, enabling unauthenticated attackers to inject MongoDB query operators within the password field. This bypasses the intended password check, granting the attacker the ability to authenticate as any user, including the root administrator. Successful exploitation leads to complete control over the FastGPT instance and its associated data. This vulnerability was addressed in FastGPT version 4.14.9.5. All users of FastGPT versions prior to 4.14.9.5 are vulnerable to this attack.

Attack Chain

1. An unauthenticated attacker identifies a vulnerable FastGPT instance running a version prior to 4.14.9.5.
2. The attacker crafts a malicious HTTP POST request to the password-based login endpoint.
3. Within the POST request body, the attacker places a MongoDB query operator object (e.g., {"$ne": ""}) in the password field, bypassing the standard password check.
4. The vulnerable FastGPT application processes the malicious request without proper validation.
5. The MongoDB query operator is executed, bypassing the authentication mechanism.
6. The attacker is granted unauthorized access to the FastGPT application, assuming the identity of an arbitrary user, including the root administrator.
7. The attacker leverages their administrative privileges to access sensitive data, modify configurations, or perform other malicious actions within the FastGPT instance.

Impact

Successful exploitation of CVE-2026-40351 allows an unauthenticated attacker to gain complete control over a FastGPT instance. This can lead to unauthorized access to sensitive AI agent configurations, user data, and other critical information. The impact includes data breaches, service disruption, and potential compromise of downstream systems that rely on the FastGPT platform. Given the critical nature of AI agent building platforms, the compromise of a FastGPT instance can have far-reaching consequences.

Recommendation

• Immediately upgrade all FastGPT instances to version 4.14.9.5 or later to patch CVE-2026-40351.
• Deploy the Sigma rule Detect FastGPT NoSQL Injection Attempt to identify potential exploitation attempts targeting the login endpoint.
• Monitor web server logs for unusual POST requests to the login endpoint, specifically looking for MongoDB query operators within the password field as detected by rule Detect FastGPT NoSQL Injection Attempt.
• Review and restrict network access to the FastGPT instance to only authorized users and systems to minimize the attack surface.

]]>criticaladvisoryNoSQL injectionauthentication bypassCVE-2026-40351FastGPThttps://feed.craftedsignal.io/briefs/2026-04-fastgpt-nosql/Fri, 17 Apr 2026 22:16:32 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-fastgpt-nosql/FastGPT versions prior to 4.14.9.5 are vulnerable to NoSQL injection in the password change endpoint, allowing authenticated attackers to bypass password verification and perform account takeover.FastGPT, an AI Agent building platform, is susceptible to a critical NoSQL injection vulnerability affecting versions before 4.14.9.5. The flaw resides within the password change endpoint, enabling an authenticated attacker to circumvent the necessary “old password” verification process. By injecting MongoDB query operators, an attacker with an existing, low-privileged session can manipulate password changes for their own account, or potentially other accounts if combined with ID manipulation techniques. This exploit leads to full account takeover, allowing attackers to maintain persistence and potentially compromise sensitive data. This vulnerability has been patched in version 4.14.9.5, urging users to upgrade immediately.

Attack Chain

1. Attacker gains initial access to a FastGPT account with low privileges through legitimate means (e.g., registration or stolen credentials).
2. Attacker navigates to the password change endpoint within the FastGPT application.
3. The attacker crafts a malicious request to the password change endpoint, injecting MongoDB query operators into the “old password” field. For example, using a payload like {$ne: "legitimate_old_password"}.
4. The application’s backend improperly processes the injected query operators, failing to correctly validate the old password against the stored hash.
5. The attacker provides a new password and confirms it within the crafted request.
6. The FastGPT application updates the account’s password in the database, replacing the original password with the attacker-controlled value.
7. The attacker logs out and logs back in using the newly set password, gaining full control of the compromised account.
8. The attacker leverages the compromised account to access sensitive data, modify configurations, or perform other malicious activities within the FastGPT platform.

Impact

Successful exploitation of this vulnerability allows attackers to take complete control of FastGPT accounts. The consequences range from unauthorized access to sensitive data and configurations to potential manipulation of AI agent behavior. This account takeover can lead to data breaches, service disruption, and reputational damage. While the specific number of victims is unknown, any FastGPT instance running a version prior to 4.14.9.5 is vulnerable, potentially affecting a wide range of users and organizations. The CVSS v3.1 base score of 8.8 highlights the severity of this issue.

Recommendation

• Immediately upgrade all FastGPT installations to version 4.14.9.5 or later to patch the NoSQL injection vulnerability (CVE-2026-40352).
• Implement the Sigma rule Detect FastGPT Password Reset Bypass to detect potential exploitation attempts against the password change endpoint.
• Review FastGPT webserver logs for unusual patterns or MongoDB query operators within requests to the password change endpoint to identify potential compromises.
• Enable and review detailed webserver logging for FastGPT to increase visibility into HTTP requests.

]]>highadvisorynosql-injectionaccount-takeovercvefastgptprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-03-unifi-vulns/Sat, 21 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-unifi-vulns/A combination of path traversal (CVE-2026-22557) and NoSQL injection (CVE-2026-22558) vulnerabilities in the UniFi Network Application allows attackers to access files, escalate privileges, and potentially compromise the entire system.<p>The UniFi Network Application, a central platform for managing network devices across enterprise and SMB environments, is affected by two critical vulnerabilities: CVE-2026-22557 (Path Traversal) and CVE-2026-22558 (Authenticated NoSQL Injection). These vulnerabilities impact Official Release versions 10.1.85 and earlier, Release Candidate versions 10.2.93 and earlier, and UniFi Express (UX) versions 9.0.114 and earlier. Exploitation of CVE-2026-22557 enables attackers to access and manipulate…</p> criticaladvisoryunifipath-traversalnosql-injectioncve-2026-22557cve-2026-22558