FastGPT exposes AI tools to unauthenticated users

Vendor-confirmed - CVE-2026-34163 is a high SSRF vulnerability in FastGPT prior to 4.14.9.5 that lets authenticated attackers force the application server to send unauthorized HTTP requests to internal systems, enabling network scanning and credential theft from cloud metadata services. Upgrade to 4.14.9.5 to block this attack vector.

Overview

A server-side request forgery (SSRF) vulnerability has been identified in the FastGPT AI Agent building platform. Tracked as CVE-2026-34163, this flaw allows authenticated users to force the application server to make unauthorized HTTP requests to internal systems.

Vulnerability Details

In FastGPT versions prior to 4.14.9.5, two specific API endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-controlled URL parameter. The server then makes a request to this URL. Crucially, these endpoints fail to validate if the supplied URL points to a private, internal network address. This oversight exists despite the application having a dedicated isInternalAddress() function for SSRF protection, which is correctly used elsewhere in the codebase. The missing check creates a direct path for exploitation.

Impact and Risks

With a CVSS score of 7.7 (HIGH), this vulnerability poses a significant risk. An attacker with a standard authenticated account can:

• Scan internal networks to discover other hosts and services.
• Access cloud metadata services (like AWS IMDS or Azure Instance Metadata Service) to potentially steal credentials and escalate access.
• Interact directly with internal services that should not be exposed, such as databases (MongoDB, Redis) or administrative panels. This can lead to data breaches, lateral movement within a network, and full system compromise. For context on the damage caused by such incidents, recent data breach reports are available at breach reports.

Remediation and Mitigation

The primary and most effective action is to immediately upgrade FastGPT to version 4.14.9.5 or later. This patch ensures the vulnerable MCP tools endpoints now correctly validate URLs using the existing isInternalAddress() function.

If an immediate upgrade is not possible, consider these temporary mitigation steps:

• Network Segmentation: Restrict outbound HTTP/HTTPS traffic from the FastGPT application server to the internet. Only allow necessary communications to external APIs.
• Access Control: Review and minimize the number of user accounts with access to the FastGPT application, adhering to the principle of least privilege. Monitor your application and network logs for any suspicious outbound connection attempts originating from the FastGPT server.

Security Insight

This vulnerability highlights a common development pitfall: inconsistent security implementation. FastGPT had a robust SSRF defense mechanism but failed to apply it uniformly across all relevant functions. It mirrors incidents in other platforms where security logic is “bolted on” to some components but not others during feature development, creating blind spots that attackers quickly discover and exploit.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs