Search criteria
44 vulnerabilities found for FastGPT by labring
CVE-2026-44287 (GCVE-0-2026-44287)
Vulnerability from nvd – Published: 2026-05-29 19:33 – Updated: 2026-06-01 13:53
VLAI
Title
FastGPT: sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable
Summary
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44287",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T13:53:29.529997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T13:53:52.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-f5mq-qxm4-5mvc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.15.0-beta1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\\bimport\\s*\\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \\s character class. The payload import/**/(\"child_process\") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:33:53.500Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-f5mq-qxm4-5mvc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-f5mq-qxm4-5mvc"
}
],
"source": {
"advisory": "GHSA-f5mq-qxm4-5mvc",
"discovery": "UNKNOWN"
},
"title": "FastGPT: sandbox escape to RCE - code-sandbox regex /\\bimport\\s*\\(/ is bypassable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44287",
"datePublished": "2026-05-29T19:33:53.500Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-06-01T13:53:52.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44285 (GCVE-0-2026-44285)
Vulnerability from nvd – Published: 2026-05-29 19:32 – Updated: 2026-06-01 16:48
VLAI
Title
FastGPT: SSRF Protection Bypass via `externalFile` in Dataset Preview API
Summary
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44285",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T16:48:14.023556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:48:19.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.15.0-beta1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:32:49.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3"
}
],
"source": {
"advisory": "GHSA-c65v-7vx6-f8m3",
"discovery": "UNKNOWN"
},
"title": "FastGPT: SSRF Protection Bypass via `externalFile` in Dataset Preview API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44285",
"datePublished": "2026-05-29T19:32:49.590Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-06-01T16:48:19.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44286 (GCVE-0-2026-44286)
Vulnerability from nvd – Published: 2026-05-08 22:17 – Updated: 2026-05-11 14:22
VLAI
Title
FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation
Summary
FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application's internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44286",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T14:22:03.786657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T14:22:32.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application\u0027s internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:17:17.908Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.17"
}
],
"source": {
"advisory": "GHSA-xpx6-xcpf-76qg",
"discovery": "UNKNOWN"
},
"title": "FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44286",
"datePublished": "2026-05-08T22:17:17.908Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-11T14:22:32.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44284 (GCVE-0-2026-44284)
Vulnerability from nvd – Published: 2026-05-08 22:12 – Updated: 2026-05-11 15:57
VLAI
Title
FastGPT: Stored MCP tool URL SSRF in FastGPT workflow execution
Summary
FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/6826 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/c1c6b95… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44284",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:57:46.900457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:57:51.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/pull/6826"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:12:39.854Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq"
},
{
"name": "https://github.com/labring/FastGPT/pull/6826",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/6826"
},
{
"name": "https://github.com/labring/FastGPT/commit/c1c6b9520d976d25ed945b5bc4e0768149e6db69",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/c1c6b9520d976d25ed945b5bc4e0768149e6db69"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.17"
}
],
"source": {
"advisory": "GHSA-cxxj-99f7-f5wq",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Stored MCP tool URL SSRF in FastGPT workflow execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44284",
"datePublished": "2026-05-08T22:12:39.854Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-11T15:57:51.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42345 (GCVE-0-2026-42345)
Vulnerability from nvd – Published: 2026-05-08 22:11 – Updated: 2026-05-13 17:47
VLAI
Title
FastGPT: Cloud metadata endpoint SSRF protection bypass via port specification, IPv6 mapping, hex/decimal IP encoding, and trailing dot
Summary
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42345",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T17:20:45.691099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T17:47:03.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT\u0027s isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not \u0027true\u0027), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:11:09.630Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94"
}
],
"source": {
"advisory": "GHSA-jhqw-944x-xh94",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Cloud metadata endpoint SSRF protection bypass via port specification, IPv6 mapping, hex/decimal IP encoding, and trailing dot"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42345",
"datePublished": "2026-05-08T22:11:09.630Z",
"dateReserved": "2026-04-26T13:26:14.515Z",
"dateUpdated": "2026-05-13T17:47:03.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42344 (GCVE-0-2026-42344)
Vulnerability from nvd – Published: 2026-05-08 22:10 – Updated: 2026-05-11 18:03
VLAI
Title
FastGPT: DNS rebinding TOCTOU bypass in isInternalAddress allows SSRF on all protected endpoints
Summary
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU — Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42344",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:03:09.390132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:03:27.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT\u0027s isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU \u2014 Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:10:00.875Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh"
}
],
"source": {
"advisory": "GHSA-cc8x-jrqv-hmwh",
"discovery": "UNKNOWN"
},
"title": "FastGPT: DNS rebinding TOCTOU bypass in isInternalAddress allows SSRF on all protected endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42344",
"datePublished": "2026-05-08T22:10:00.875Z",
"dateReserved": "2026-04-26T13:26:14.515Z",
"dateUpdated": "2026-05-11T18:03:27.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42343 (GCVE-0-2026-42343)
Vulnerability from nvd – Published: 2026-05-08 22:09 – Updated: 2026-05-12 02:10
VLAI
Title
FastGPT: Uncontrolled Resource Consumption leading to Sandbox Exhaustion
Summary
FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42343",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T02:10:18.323264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T02:10:48.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:09:03.156Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x"
}
],
"source": {
"advisory": "GHSA-qv7v-r94x-6x3x",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Uncontrolled Resource Consumption leading to Sandbox Exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42343",
"datePublished": "2026-05-08T22:09:03.156Z",
"dateReserved": "2026-04-26T13:26:14.514Z",
"dateUpdated": "2026-05-12T02:10:48.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42302 (GCVE-0-2026-42302)
Vulnerability from nvd – Published: 2026-05-08 22:05 – Updated: 2026-05-12 18:31
VLAI
Title
FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox
Summary
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/6781 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/9d1cafc… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42302",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T13:04:25.589405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T18:31:43.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.14.10, \u003c 4.14.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:05:49.460Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78"
},
{
"name": "https://github.com/labring/FastGPT/pull/6781",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/6781"
},
{
"name": "https://github.com/labring/FastGPT/commit/9d1cafce9241430fb5bcdd646455055c5f4ae0a4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/9d1cafce9241430fb5bcdd646455055c5f4ae0a4"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.13"
}
],
"source": {
"advisory": "GHSA-34rc-438g-7w78",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42302",
"datePublished": "2026-05-08T22:05:49.460Z",
"dateReserved": "2026-04-26T12:13:55.552Z",
"dateUpdated": "2026-05-12T18:31:43.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40352 (GCVE-0-2026-40352)
Vulnerability from nvd – Published: 2026-04-17 21:09 – Updated: 2026-04-20 13:36
VLAI
Title
FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover
Summary
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/commit/bd966d4… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40352",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:23:11.617519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:36:06.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the \"old password\" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:09:32.913Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-422w-vrfj-72g6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-422w-vrfj-72g6"
},
{
"name": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
}
],
"source": {
"advisory": "GHSA-422w-vrfj-72g6",
"discovery": "UNKNOWN"
},
"title": "FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40352",
"datePublished": "2026-04-17T21:09:32.913Z",
"dateReserved": "2026-04-10T22:50:01.359Z",
"dateUpdated": "2026-04-20T13:36:06.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40351 (GCVE-0-2026-40351)
Vulnerability from nvd – Published: 2026-04-17 21:05 – Updated: 2026-04-20 14:57
VLAI
Title
FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass
Summary
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/commit/bd966d4… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40351",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:47:36.369173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:57:15.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {\"$ne\": \"\"}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:05:05.911Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg"
},
{
"name": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
}
],
"source": {
"advisory": "GHSA-x8mx-2mr7-h9xg",
"discovery": "UNKNOWN"
},
"title": "FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40351",
"datePublished": "2026-04-17T21:05:05.911Z",
"dateReserved": "2026-04-10T22:50:01.359Z",
"dateUpdated": "2026-04-20T14:57:15.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40252 (GCVE-0-2026-40252)
Vulnerability from nvd – Published: 2026-04-10 20:52 – Updated: 2026-04-13 16:14
VLAI
Title
Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT
Summary
FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T16:14:17.130465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T16:14:30.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.10.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T20:52:15.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.10.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.10.4"
}
],
"source": {
"advisory": "GHSA-gc8m-w37w-24hw",
"discovery": "UNKNOWN"
},
"title": "Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40252",
"datePublished": "2026-04-10T20:52:15.218Z",
"dateReserved": "2026-04-10T17:31:45.786Z",
"dateUpdated": "2026-04-13T16:14:30.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40100 (GCVE-0-2026-40100)
Vulnerability from nvd – Published: 2026-04-10 16:39 – Updated: 2026-04-15 14:47
VLAI
Title
FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default
Summary
FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:45:56.717074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:47:23.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T16:39:25.856Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4"
}
],
"source": {
"advisory": "GHSA-jrhc-f3j7-f8g4",
"discovery": "UNKNOWN"
},
"title": "FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40100",
"datePublished": "2026-04-10T16:39:25.856Z",
"dateReserved": "2026-04-09T01:41:38.536Z",
"dateUpdated": "2026-04-15T14:47:23.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34163 (GCVE-0-2026-34163)
Vulnerability from nvd – Published: 2026-03-31 13:43 – Updated: 2026-03-31 15:37
VLAI
Title
Server-Side Request Forgery via MCP Tools Endpoint in FastGPT
Summary
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.
Severity
7.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/6640 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/bc7eae2… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34163",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:37:50.933430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:37:59.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT\u0027s MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:43:11.068Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv"
},
{
"name": "https://github.com/labring/FastGPT/pull/6640",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/6640"
},
{
"name": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
}
],
"source": {
"advisory": "GHSA-x9vj-5m4j-9mfv",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery via MCP Tools Endpoint in FastGPT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34163",
"datePublished": "2026-03-31T13:43:11.068Z",
"dateReserved": "2026-03-25T20:12:04.197Z",
"dateUpdated": "2026-03-31T15:37:59.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34162 (GCVE-0-2026-34162)
Vulnerability from nvd – Published: 2026-03-31 13:43 – Updated: 2026-03-31 14:33
VLAI
Title
FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft
Summary
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/6640 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/bc7eae2… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34162",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:33:27.055617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:33:31.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy \u2014 it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:43:20.981Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj"
},
{
"name": "https://github.com/labring/FastGPT/pull/6640",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/6640"
},
{
"name": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
}
],
"source": {
"advisory": "GHSA-w36r-f268-pwrj",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34162",
"datePublished": "2026-03-31T13:43:20.981Z",
"dateReserved": "2026-03-25T20:12:04.197Z",
"dateUpdated": "2026-03-31T14:33:31.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33075 (GCVE-0-2026-33075)
Vulnerability from nvd – Published: 2026-03-20 08:37 – Updated: 2026-03-20 13:48
VLAI
Title
FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml
Summary
FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T13:47:53.551950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T13:48:05.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author\u0027s fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494: Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T08:37:16.169Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c"
}
],
"source": {
"advisory": "GHSA-xfx8-w35j-485c",
"discovery": "UNKNOWN"
},
"title": "FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33075",
"datePublished": "2026-03-20T08:37:16.169Z",
"dateReserved": "2026-03-17T19:27:06.344Z",
"dateUpdated": "2026-03-20T13:48:05.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44287 (GCVE-0-2026-44287)
Vulnerability from cvelistv5 – Published: 2026-05-29 19:33 – Updated: 2026-06-01 13:53
VLAI
Title
FastGPT: sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable
Summary
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44287",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T13:53:29.529997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T13:53:52.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-f5mq-qxm4-5mvc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.15.0-beta1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\\bimport\\s*\\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \\s character class. The payload import/**/(\"child_process\") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:33:53.500Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-f5mq-qxm4-5mvc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-f5mq-qxm4-5mvc"
}
],
"source": {
"advisory": "GHSA-f5mq-qxm4-5mvc",
"discovery": "UNKNOWN"
},
"title": "FastGPT: sandbox escape to RCE - code-sandbox regex /\\bimport\\s*\\(/ is bypassable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44287",
"datePublished": "2026-05-29T19:33:53.500Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-06-01T13:53:52.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44285 (GCVE-0-2026-44285)
Vulnerability from cvelistv5 – Published: 2026-05-29 19:32 – Updated: 2026-06-01 16:48
VLAI
Title
FastGPT: SSRF Protection Bypass via `externalFile` in Dataset Preview API
Summary
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44285",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T16:48:14.023556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:48:19.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.15.0-beta1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:32:49.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3"
}
],
"source": {
"advisory": "GHSA-c65v-7vx6-f8m3",
"discovery": "UNKNOWN"
},
"title": "FastGPT: SSRF Protection Bypass via `externalFile` in Dataset Preview API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44285",
"datePublished": "2026-05-29T19:32:49.590Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-06-01T16:48:19.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44286 (GCVE-0-2026-44286)
Vulnerability from cvelistv5 – Published: 2026-05-08 22:17 – Updated: 2026-05-11 14:22
VLAI
Title
FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation
Summary
FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application's internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44286",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T14:22:03.786657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T14:22:32.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application\u0027s internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:17:17.908Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.17"
}
],
"source": {
"advisory": "GHSA-xpx6-xcpf-76qg",
"discovery": "UNKNOWN"
},
"title": "FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44286",
"datePublished": "2026-05-08T22:17:17.908Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-11T14:22:32.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44284 (GCVE-0-2026-44284)
Vulnerability from cvelistv5 – Published: 2026-05-08 22:12 – Updated: 2026-05-11 15:57
VLAI
Title
FastGPT: Stored MCP tool URL SSRF in FastGPT workflow execution
Summary
FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/6826 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/c1c6b95… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44284",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:57:46.900457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:57:51.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/pull/6826"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:12:39.854Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq"
},
{
"name": "https://github.com/labring/FastGPT/pull/6826",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/6826"
},
{
"name": "https://github.com/labring/FastGPT/commit/c1c6b9520d976d25ed945b5bc4e0768149e6db69",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/c1c6b9520d976d25ed945b5bc4e0768149e6db69"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.17"
}
],
"source": {
"advisory": "GHSA-cxxj-99f7-f5wq",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Stored MCP tool URL SSRF in FastGPT workflow execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44284",
"datePublished": "2026-05-08T22:12:39.854Z",
"dateReserved": "2026-05-05T17:39:31.112Z",
"dateUpdated": "2026-05-11T15:57:51.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42345 (GCVE-0-2026-42345)
Vulnerability from cvelistv5 – Published: 2026-05-08 22:11 – Updated: 2026-05-13 17:47
VLAI
Title
FastGPT: Cloud metadata endpoint SSRF protection bypass via port specification, IPv6 mapping, hex/decimal IP encoding, and trailing dot
Summary
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42345",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T17:20:45.691099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T17:47:03.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT\u0027s isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not \u0027true\u0027), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:11:09.630Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94"
}
],
"source": {
"advisory": "GHSA-jhqw-944x-xh94",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Cloud metadata endpoint SSRF protection bypass via port specification, IPv6 mapping, hex/decimal IP encoding, and trailing dot"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42345",
"datePublished": "2026-05-08T22:11:09.630Z",
"dateReserved": "2026-04-26T13:26:14.515Z",
"dateUpdated": "2026-05-13T17:47:03.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42344 (GCVE-0-2026-42344)
Vulnerability from cvelistv5 – Published: 2026-05-08 22:10 – Updated: 2026-05-11 18:03
VLAI
Title
FastGPT: DNS rebinding TOCTOU bypass in isInternalAddress allows SSRF on all protected endpoints
Summary
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU — Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches.
Severity
6.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42344",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:03:09.390132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:03:27.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT\u0027s isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU \u2014 Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:10:00.875Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh"
}
],
"source": {
"advisory": "GHSA-cc8x-jrqv-hmwh",
"discovery": "UNKNOWN"
},
"title": "FastGPT: DNS rebinding TOCTOU bypass in isInternalAddress allows SSRF on all protected endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42344",
"datePublished": "2026-05-08T22:10:00.875Z",
"dateReserved": "2026-04-26T13:26:14.515Z",
"dateUpdated": "2026-05-11T18:03:27.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42343 (GCVE-0-2026-42343)
Vulnerability from cvelistv5 – Published: 2026-05-08 22:09 – Updated: 2026-05-12 02:10
VLAI
Title
FastGPT: Uncontrolled Resource Consumption leading to Sandbox Exhaustion
Summary
FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42343",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T02:10:18.323264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T02:10:48.249Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:09:03.156Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x"
}
],
"source": {
"advisory": "GHSA-qv7v-r94x-6x3x",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Uncontrolled Resource Consumption leading to Sandbox Exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42343",
"datePublished": "2026-05-08T22:09:03.156Z",
"dateReserved": "2026-04-26T13:26:14.514Z",
"dateUpdated": "2026-05-12T02:10:48.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42302 (GCVE-0-2026-42302)
Vulnerability from cvelistv5 – Published: 2026-05-08 22:05 – Updated: 2026-05-12 18:31
VLAI
Title
FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox
Summary
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/6781 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/9d1cafc… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42302",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T13:04:25.589405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T18:31:43.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.14.10, \u003c 4.14.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:05:49.460Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78"
},
{
"name": "https://github.com/labring/FastGPT/pull/6781",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/6781"
},
{
"name": "https://github.com/labring/FastGPT/commit/9d1cafce9241430fb5bcdd646455055c5f4ae0a4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/9d1cafce9241430fb5bcdd646455055c5f4ae0a4"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.13"
}
],
"source": {
"advisory": "GHSA-34rc-438g-7w78",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42302",
"datePublished": "2026-05-08T22:05:49.460Z",
"dateReserved": "2026-04-26T12:13:55.552Z",
"dateUpdated": "2026-05-12T18:31:43.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40352 (GCVE-0-2026-40352)
Vulnerability from cvelistv5 – Published: 2026-04-17 21:09 – Updated: 2026-04-20 13:36
VLAI
Title
FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover
Summary
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/commit/bd966d4… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40352",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:23:11.617519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:36:06.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the \"old password\" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged session to change the password of their account (or others if combined with ID manipulation) without knowing the current one, leading to full account takeover and persistence. This issue has been fixed in version 4.14.9.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:09:32.913Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-422w-vrfj-72g6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-422w-vrfj-72g6"
},
{
"name": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
}
],
"source": {
"advisory": "GHSA-422w-vrfj-72g6",
"discovery": "UNKNOWN"
},
"title": "FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40352",
"datePublished": "2026-04-17T21:09:32.913Z",
"dateReserved": "2026-04-10T22:50:01.359Z",
"dateUpdated": "2026-04-20T13:36:06.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40351 (GCVE-0-2026-40351)
Vulnerability from cvelistv5 – Published: 2026-04-17 21:05 – Updated: 2026-04-20 14:57
VLAI
Title
FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass
Summary
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/commit/bd966d4… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40351",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:47:36.369173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:57:15.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {\"$ne\": \"\"}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-943",
"description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:05:05.911Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-x8mx-2mr7-h9xg"
},
{
"name": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/bd966d479fbe414d02679cf79f9eaaab3d100a2d"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
}
],
"source": {
"advisory": "GHSA-x8mx-2mr7-h9xg",
"discovery": "UNKNOWN"
},
"title": "FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40351",
"datePublished": "2026-04-17T21:05:05.911Z",
"dateReserved": "2026-04-10T22:50:01.359Z",
"dateUpdated": "2026-04-20T14:57:15.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40252 (GCVE-0-2026-40252)
Vulnerability from cvelistv5 – Published: 2026-04-10 20:52 – Updated: 2026-04-13 16:14
VLAI
Title
Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT
Summary
FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T16:14:17.130465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T16:14:30.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.10.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T20:52:15.218Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.10.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.10.4"
}
],
"source": {
"advisory": "GHSA-gc8m-w37w-24hw",
"discovery": "UNKNOWN"
},
"title": "Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40252",
"datePublished": "2026-04-10T20:52:15.218Z",
"dateReserved": "2026-04-10T17:31:45.786Z",
"dateUpdated": "2026-04-13T16:14:30.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40100 (GCVE-0-2026-40100)
Vulnerability from cvelistv5 – Published: 2026-04-10 16:39 – Updated: 2026-04-15 14:47
VLAI
Title
FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default
Summary
FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:45:56.717074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:47:23.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T16:39:25.856Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4"
}
],
"source": {
"advisory": "GHSA-jrhc-f3j7-f8g4",
"discovery": "UNKNOWN"
},
"title": "FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40100",
"datePublished": "2026-04-10T16:39:25.856Z",
"dateReserved": "2026-04-09T01:41:38.536Z",
"dateUpdated": "2026-04-15T14:47:23.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34162 (GCVE-0-2026-34162)
Vulnerability from cvelistv5 – Published: 2026-03-31 13:43 – Updated: 2026-03-31 14:33
VLAI
Title
FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft
Summary
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/6640 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/bc7eae2… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34162",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:33:27.055617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:33:31.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy \u2014 it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:43:20.981Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj"
},
{
"name": "https://github.com/labring/FastGPT/pull/6640",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/6640"
},
{
"name": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
}
],
"source": {
"advisory": "GHSA-w36r-f268-pwrj",
"discovery": "UNKNOWN"
},
"title": "FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34162",
"datePublished": "2026-03-31T13:43:20.981Z",
"dateReserved": "2026-03-25T20:12:04.197Z",
"dateUpdated": "2026-03-31T14:33:31.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34163 (GCVE-0-2026-34163)
Vulnerability from cvelistv5 – Published: 2026-03-31 13:43 – Updated: 2026-03-31 15:37
VLAI
Title
Server-Side Request Forgery via MCP Tools Endpoint in FastGPT
Summary
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.
Severity
7.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/6640 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/bc7eae2… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34163",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:37:50.933430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:37:59.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.14.9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT\u0027s MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:43:11.068Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv"
},
{
"name": "https://github.com/labring/FastGPT/pull/6640",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/6640"
},
{
"name": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"
}
],
"source": {
"advisory": "GHSA-x9vj-5m4j-9mfv",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery via MCP Tools Endpoint in FastGPT"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34163",
"datePublished": "2026-03-31T13:43:11.068Z",
"dateReserved": "2026-03-25T20:12:04.197Z",
"dateUpdated": "2026-03-31T15:37:59.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33075 (GCVE-0-2026-33075)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:37 – Updated: 2026-03-20 13:48
VLAI
Title
FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml
Summary
FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T13:47:53.551950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T13:48:05.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author\u0027s fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494: Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T08:37:16.169Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c"
}
],
"source": {
"advisory": "GHSA-xfx8-w35j-485c",
"discovery": "UNKNOWN"
},
"title": "FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33075",
"datePublished": "2026-03-20T08:37:16.169Z",
"dateReserved": "2026-03-17T19:27:06.344Z",
"dateUpdated": "2026-03-20T13:48:05.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}