CVE-2026-34162
Published: 31 March 2026
Summary
CVE-2026-34162 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Fastgpt Fastgpt. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-34162 is a critical vulnerability (CVSS 10.0; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L) in FastGPT, an AI Agent building platform, affecting versions prior to 4.14.9.5. The issue stems from the HTTP tools testing endpoint (/api/core/app/httpTools/runTool) being exposed without authentication, functioning as a full HTTP proxy. It accepts user-supplied parameters including baseUrl, toolPath, HTTP method, custom headers, and body, then issues a server-side HTTP request and returns the complete response to the caller. The vulnerability is linked to CWE-306 (Missing Authentication for Critical Function) and CWE-918 (Server-Side Request Forgery).
Any unauthenticated attacker with network access can exploit this endpoint remotely with low complexity and no user interaction required. Exploitation enables arbitrary server-side HTTP requests under the authority of the FastGPT server, potentially allowing high-impact confidentiality and integrity violations due to the proxy's flexibility in methods, headers, and payloads, with a changed scope amplifying effects.
The vulnerability has been patched in FastGPT version 4.14.9.5. Official mitigation guidance from GitHub security advisories (GHSA-w36r-f268-pwrj) recommends upgrading to this version, with the fix implemented via commit bc7eae2ed61481a5e322208829be291faec58c00 and pull request #6640, as detailed in the release notes.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17445
Vulnerability details
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method,…
more
custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF in public-facing HTTP proxy endpoint directly enables exploitation of public-facing application (T1190), use as internal proxy for pivoting (T1090.001), and probing internal network services via arbitrary HTTP requests (T1046).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires organizations to identify and restrict critical actions performable without authentication, addressing the exposure of the unauthenticated HTTP proxy endpoint.
Mandates enforcement of approved access authorizations, preventing unauthorized access to the vulnerable HTTP tools testing endpoint.
Requires validation of information inputs such as user-supplied baseUrl, toolPath, headers, and body to block SSRF exploitation via the proxy.