CVE-2026-34163

CVE-2026-34163 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting FastGPT, an AI Agent building platform, in versions prior to 4.14.9.5. The issue resides in the MCP (Model Context Protocol) tools endpoints, specifically /api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool, which accept a user-supplied URL parameter and issue server-side HTTP requests to it without validating whether the URL targets an internal or private network address. Although FastGPT includes an isInternalAddress() function for SSRF protection in other components like the HTTP workflow node, these MCP endpoints do not invoke it, enabling unauthorized internal network access. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying malicious URLs to the affected endpoints, the attacker can scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis, potentially leading to high confidentiality impacts due to the changed scope.

The vulnerability has been patched in FastGPT version 4.14.9.5. Security practitioners should upgrade to this version or later. Relevant resources include the patch commit at https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00, the associated pull request at https://github.com/labring/FastGPT/pull/6640, the release notes at https://github.com/labring/FastGPT/releases/tag/v4.14.9.5, and the GitHub security advisory at https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv.

As FastGPT is an AI Agent building platform, this SSRF vulnerability highlights risks in AI/ML infrastructure where internal services may handle sensitive model data or configurations. No public reports of real-world exploitation are available at this time.