Primary

Context

FastGPT Unauthenticated Plugin System Access Vulnerability

Vulnerability

A vulnerability in FastGPT versions 4.14.0 to 4.14.5 allows attackers to access the plugin system without authentication, through the FastGPT/api/plugin/xxx endpoint. This unauthorized access can disrupt the plugin system, potentially causing it to crash and leading to a loss of plugin installation status. However, it does not result in key leakage. In earlier versions, the impact is minimal as the available interfaces only provide informational access.

Impact

Exploitation of this vulnerability can cause the plugin system to crash and result in the loss of plugin installation status.

Remediation

Users are advised to upgrade to FastGPT version 4.14.5-fix. Alternatively, through gateway rules, disable all requests to '{{FastGPT host}}/api/plugin/*'.

Added: Feb 10, 2026, 6:19 PM

Updated: Feb 11, 2026, 1:31 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.9

exploitability

8.1

remediation

0.0

relevance

3.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.9

exploitability

8.1

remediation

0.0

relevance

3.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FastGPT Unauthenticated Plugin System Access Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating