Description
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.
Published: 2026-03-31
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Internal network exposure via SSRF
Action: Immediate Patch
AI Analysis

Impact

FastGPT's MCP tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user‑supplied URL and perform an HTTP call from the server without validating that the address is external. The isInternalAddress() check that protects other endpoints is omitted, allowing an attacker to point the request at any host. Because the calls are made from the application server, a malicious actor can reach internal services such as MongoDB, Redis, or cloud metadata endpoints. This behaviour permits scanning of local network topology, credential disclosure, and the potential for further lateral movement, which aligns with CWE‑918.

Affected Systems

FastGPT, published by labring, is vulnerable in all released versions before version 4.14.9.5. The issue affects the MCP tools endpoints of the application and applies to any deployment that exposes these routes, regardless of environment. There are no known variations in other products or modules.

Risk and Exploitability

With a CVSS base score of 7.7, the flaw is considered high severity. The EPSS score below 1% and absence from the CISA KEV catalog suggest a low chance of widespread exploitation at this time. An attacker with valid credentials to the MCP tools endpoints can supply any target URL and trigger internal HTTP requests. The absence of internal address validation makes exploitation trivial once authenticated, enabling network probing and possible data exfiltration.

Generated by OpenCVE AI on April 2, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FastGPT release (v4.14.9.5 or newer) to eliminate the SSRF flaw.
  • Limit access to the MCP tools endpoints to trusted network segments or authenticated service accounts to reduce exposure.
  • Configure outbound firewall rules to block requests to private IP ranges from the FastGPT server.
  • Ensure that internal URL validation is enforced in any custom MCP tooling or future extensions.

Generated by OpenCVE AI on April 2, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Fastgpt
Fastgpt fastgpt
CPEs cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*
Vendors & Products Fastgpt
Fastgpt fastgpt

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Labring
Labring fastgpt
Vendors & Products Labring
Labring fastgpt

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.
Title Server-Side Request Forgery via MCP Tools Endpoint in FastGPT
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Fastgpt Fastgpt
Labring Fastgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:37:59.791Z

Reserved: 2026-03-25T20:12:04.197Z

Link: CVE-2026-34163

cve-icon Vulnrichment

Updated: 2026-03-31T15:37:55.690Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:17.170

Modified: 2026-04-01T18:28:47.027

Link: CVE-2026-34163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:53:19Z

Weaknesses