Server-Side Request Forgery Vulnerability in FastGPT AI Agent Platform
CVE-2026-34163

7.7HIGH

Key Information:

Vendor

Labring

Status
Fastgpt
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34163?

FastGPT is an AI Agent building platform that prior to version 4.14.9.5 contained an SSRF vulnerability in its Model Context Protocol (MCP) tools. The endpoints responsible for handling requests did not validate user-supplied URLs, allowing attackers to exploit this oversight. By using the MCP tools, an authenticated attacker could probe internal networks and gain access to sensitive internal services, including databases and cloud metadata services. This vulnerability has been addressed in version 4.14.9.5, which implements necessary security measures to mitigate this risk.

Affected Version(s)

FastGPT < 4.14.9.5

References

https://github.com/labring/FastGPT/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/labring/FastGPT/pull/6640
x_refsource_MISC
https://github.com/labring/FastGPT/commit/bc7eae2ed61481a...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.