Description
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.
Published: 2026-03-31
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: Server Side Request Forgery enabling internal network reconnaissance and potential data exposure
Action: Patch Immediately
AI Analysis

Impact

FastGPT’s MCP tools endpoints allow an authenticated user to provide an arbitrary URL that the server then requests without verifying whether the address points to an internal or private network. This omission permits a Server Side Request Forgery that can be exploited to scan internal infrastructure, access cloud metadata services, or interact with internal databases such as MongoDB and Redis. The attacker could read or modify data, or use the internal access as a stepping stone for further compromise.

Affected Systems

The affected product is FastGPT from labring. All releases older than version 4.14.9.5 are vulnerable. The issue affects every deployment of the MCP tools endpoints that does not perform an internal address check, regardless of operating system or hosting environment.

Risk and Exploitability

The CVSS base score of 7.7 indicates a high severity. Although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, authenticated users can exploit the flaw to access internal services, which presents a significant risk to confidentiality and integrity. The attack requires authentication but otherwise has a straightforward execution path through the undeclared URL parameter.

Generated by OpenCVE AI on March 31, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastGPT to version 4.14.9.5 or later
  • If upgrade cannot be performed immediately, block outgoing HTTP requests originating from the /api/core/app/mcpTools endpoints until the patch is applied

Generated by OpenCVE AI on March 31, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Labring
Labring fastgpt
Vendors & Products Labring
Labring fastgpt

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.
Title Server-Side Request Forgery via MCP Tools Endpoint in FastGPT
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Labring Fastgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:37:59.791Z

Reserved: 2026-03-25T20:12:04.197Z

Link: CVE-2026-34163

cve-icon Vulnrichment

Updated: 2026-03-31T15:37:55.690Z

cve-icon NVD

Status : Received

Published: 2026-03-31T15:16:17.170

Modified: 2026-03-31T15:16:17.170

Link: CVE-2026-34163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:37Z

Weaknesses