Cyber Resilience

CVE-2026-34162

CriticalPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0042 33.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34162 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Fastgpt Fastgpt. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-34162 is a critical vulnerability (CVSS 10.0; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L) in FastGPT, an AI Agent building platform, affecting versions prior to 4.14.9.5. The issue stems from the HTTP tools testing endpoint (/api/core/app/httpTools/runTool) being exposed without authentication, functioning as a full HTTP proxy. It accepts user-supplied parameters including baseUrl, toolPath, HTTP method, custom headers, and body, then issues a server-side HTTP request and returns the complete response to the caller. The vulnerability is linked to CWE-306 (Missing Authentication for Critical Function) and CWE-918 (Server-Side Request Forgery).

Any unauthenticated attacker with network access can exploit this endpoint remotely with low complexity and no user interaction required. Exploitation enables arbitrary server-side HTTP requests under the authority of the FastGPT server, potentially allowing high-impact confidentiality and integrity violations due to the proxy's flexibility in methods, headers, and payloads, with a changed scope amplifying effects.

The vulnerability has been patched in FastGPT version 4.14.9.5. Official mitigation guidance from GitHub security advisories (GHSA-w36r-f268-pwrj) recommends upgrading to this version, with the fix implemented via commit bc7eae2ed61481a5e322208829be291faec58c00 and pull request #6640, as detailed in the release notes.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method,…

more

custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1090.001 Internal Proxy Command And Control
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

Unauthenticated SSRF in public-facing HTTP proxy endpoint directly enables exploitation of public-facing application (T1190), use as internal proxy for pivoting (T1090.001), and probing internal network services via arbitrary HTTP requests (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34163Same product: Fastgpt Fastgpt
CVE-2026-40351Same product: Fastgpt Fastgpt
CVE-2026-40252Same product: Fastgpt Fastgpt
CVE-2026-40352Same product: Fastgpt Fastgpt
CVE-2026-33075Same product: Fastgpt Fastgpt
CVE-2025-34228Shared CWE-306, CWE-918
CVE-2025-34231Shared CWE-306, CWE-918
CVE-2024-11822Shared CWE-918
CVE-2026-33715Shared CWE-306, CWE-918
CVE-2025-34225Shared CWE-306, CWE-918

Affected Assets

fastgpt
fastgpt
≤ 4.14.9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires organizations to identify and restrict critical actions performable without authentication, addressing the exposure of the unauthenticated HTTP proxy endpoint.

prevent

Mandates enforcement of approved access authorizations, preventing unauthorized access to the vulnerable HTTP tools testing endpoint.

prevent

Requires validation of information inputs such as user-supplied baseUrl, toolPath, headers, and body to block SSRF exploitation via the proxy.

References