FastGPT CVE-2026-42302 — Agent Sandbox RCE via Disabled Authentication
AI relevance: FastGPT's agent-sandbox component — the execution environment where AI agents run untrusted code — shipped with code-server listening on all interfaces with authentication completely disabled, giving any network-reachable attacker full RCE in a container designed to handle AI-generated workloads.
What happened
- CVE-2026-42302 is a critical unauthenticated RCE in FastGPT's
agent-sandboxcomponent, scored CVSS 9.8, published May 8, 2026. - The sandbox's
entrypoint.shstartup script launchescode-serverwith the--auth noneflag and binds it to0.0.0.0:8080, exposing the full IDE to any network-reachable host with zero authentication. - Any attacker with network access to port 8080 gains immediate administrative control over the sandbox environment, enabling arbitrary command execution.
- The vulnerability affects FastGPT versions 4.14.10 through 4.14.12 (exclusive); patched in version 4.14.13.
- This is a separate vulnerability from the FastGPT SSRF cluster (CVE-2026-44286/44284/42344) published earlier this week — a distinct flaw in the agent-sandbox startup configuration, not the MCP/SSRF attack surface.
Why it matters
AI agent platforms use sandboxed containers to safely execute untrusted, AI-generated code. When the sandbox's own entrypoint disables authentication on a network-facing port, the entire isolation model collapses. An attacker does not need to craft a prompt injection or exploit the LLM — they can connect directly to the exposed code-server and execute commands. For FastGPT deployments where the sandbox has network access to databases, internal APIs, or mounted secrets, this translates to full environment compromise. The fact that this is a startup misconfiguration rather than a code defect makes it easy to miss in code reviews but trivial to exploit in the wild.
What to do
- Upgrade FastGPT to ≥ 4.14.13 immediately if running the agent-sandbox component.
- Scan for exposed
code-serverinstances on port 8080 in your infrastructure, especially those started with--auth none. - Ensure agent sandbox containers are network-isolated and cannot reach sensitive internal resources, regardless of authentication settings.
- Review all container entrypoint scripts and Dockerfiles for authentication-disabling flags in AI execution environments.