CVE-2026-34162

CriticalPublic PoC

Published: 31 March 2026

Published

31 March 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0022 45.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34162 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Fastgpt Fastgpt. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as APIs and Models.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly requires organizations to identify and restrict critical actions performable without authentication, addressing the exposure of the unauthenticated HTTP proxy endpoint.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved access authorizations, preventing unauthorized access to the vulnerable HTTP tools testing endpoint.

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs such as user-supplied baseUrl, toolPath, headers, and body to block SSRF exploitation via the proxy.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1090.001 Internal Proxy Command And Control

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

Unauthenticated SSRF in public-facing HTTP proxy endpoint directly enables exploitation of public-facing application (T1190), use as internal proxy for pivoting (T1090.001), and probing internal network services via arbitrary HTTP requests (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method,…

custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.

Deeper analysisAI

CVE-2026-34162 is a critical vulnerability (CVSS 10.0; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L) in FastGPT, an AI Agent building platform, affecting versions prior to 4.14.9.5. The issue stems from the HTTP tools testing endpoint (/api/core/app/httpTools/runTool) being exposed without authentication, functioning as a full HTTP proxy. It accepts user-supplied parameters including baseUrl, toolPath, HTTP method, custom headers, and body, then issues a server-side HTTP request and returns the complete response to the caller. The vulnerability is linked to CWE-306 (Missing Authentication for Critical Function) and CWE-918 (Server-Side Request Forgery).

Any unauthenticated attacker with network access can exploit this endpoint remotely with low complexity and no user interaction required. Exploitation enables arbitrary server-side HTTP requests under the authority of the FastGPT server, potentially allowing high-impact confidentiality and integrity violations due to the proxy's flexibility in methods, headers, and payloads, with a changed scope amplifying effects.

The vulnerability has been patched in FastGPT version 4.14.9.5. Official mitigation guidance from GitHub security advisories (GHSA-w36r-f268-pwrj) recommends upgrading to this version, with the fix implemented via commit bc7eae2ed61481a5e322208829be291faec58c00 and pull request #6640, as detailed in the release notes.

Details

CWE(s): CWE-306 CWE-918

Affected Products

fastgpt

≤ 4.14.9.5

AI Security AnalysisAI

AI Category: APIs and Models
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai

CVEs Like This One

CVE-2026-34163Same product: Fastgpt Fastgpt

CVE-2026-40351Same product: Fastgpt Fastgpt

CVE-2026-40252Same product: Fastgpt Fastgpt

CVE-2026-40352Same product: Fastgpt Fastgpt

CVE-2026-33075Same product: Fastgpt Fastgpt

CVE-2025-34231Shared CWE-306, CWE-918

CVE-2025-34228Shared CWE-306, CWE-918

CVE-2026-33715Shared CWE-306, CWE-918

CVE-2026-33340Shared CWE-306, CWE-918

CVE-2025-34225Shared CWE-306, CWE-918

References

https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00
Patch · security-advisories@github.com
https://github.com/labring/FastGPT/pull/6640
Issue Tracking, Patch · security-advisories@github.com
https://github.com/labring/FastGPT/releases/tag/v4.14.9.5
Product, Release Notes · security-advisories@github.com
https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0