CVE-2026-40100 - Vulnerability Details

- FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default

Description

FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3.

Published: 2026-04-10

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

FastGPT, an AI agent platform, contains an endpoint that accepts arbitrary URLs without requiring authentication. The internal address check is only active when a configuration flag is true, which is not the default. As a result, an unauthenticated attacker can instruct the server to resolve and communicate with any URL, including internal IP addresses. This SSRF flaw can let an attacker exfiltrate information, access restricted services, or perform internal network reconnaissance.

Affected Systems

The vulnerability affects the FastGPT product by labring. Versions prior to 4.14.10.3 are impacted; the issue was addressed in release 4.14.10.3.

Risk and Exploitability

The CVSS base score is 5.3, indicating a medium severity risk. No EPSS data is public and the vulnerability is not listed in the CISA KEV catalog, suggesting exploitation is not broadly observed yet. Nonetheless, because authentication is bypassed, any external user can trigger the SSRF endpoint. Attackers need only to send a crafted request to the /api/core/app/mcpTools/runTool URL, and if the flag controlling internal IP checks is left in its default state, the server will resolve the supplied URL without restriction.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

labring

FastGPT

affected

Version	Status	Constraints
`< 4.14.10.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Labring

Fastgpt

100%

Version	Status	Scheme	Platform
`[0,4.14.10.3)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest patch 4.14.10.3 or newer to FastGPT to fix the SSRF issue.
If upgrading immediately is not possible, limit access to the /api/core/app/mcpTools/runTool endpoint by firewalling or restricting network interfaces so that only trusted hosts can reach it.
Enable the internal IP check flag (CHECK_INTERNAL_IP=true) in configuration to block requests to private IP ranges until a patch can be applied.

Generated by OpenCVE AI on April 10, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00071.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4

History

Wed, 15 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fastgpt Fastgpt fastgpt
CPEs		cpe:2.3:a:fastgpt:fastgpt::::::::
Vendors & Products		Fastgpt Fastgpt fastgpt

Wed, 15 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Labring Labring fastgpt
Vendors & Products		Labring Labring fastgpt

Fri, 10 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3.
Title		FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default
Weaknesses		CWE-918
References		https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Fastgpt Fastgpt

Labring Fastgpt

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-10T16:39:25.856Z

Updated: 2026-04-15T14:47:23.092Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40100

Vulnrichment

Updated: 2026-04-15T14:47:17.441Z

NVD

Status : Analyzed

Published: 2026-04-10T17:17:12.997

Modified: 2026-04-15T19:02:57.257

Link: CVE-2026-40100

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T13:00:19Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object