DNS Rebinding Vulnerability in FastGPT AI Agent Platform
CVE-2026-42344

6.3MEDIUM

Key Information:

Vendor: Labring
Status: Fastgpt
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42344?

The FastGPT AI Agent platform, specifically versions 4.14.11 and earlier, is susceptible to a DNS rebinding vulnerability due to flaws in the isInternalAddress() function. This function relies on resolving DNS hostnames using dns.resolve4() and dns.resolve6(), and while it checks resolved IPs against private range addresses, it fails to maintain that security during the actual HTTP request process. The separation of DNS resolution steps creates a window of opportunity for DNS records to change between validation and data retrieval, potentially allowing attackers to manipulate network requests. As of the latest information, no patches have been released to address this vulnerability.

Affected Version(s)

FastGPT <= 4.14.11

References

https://github.com/labring/FastGPT/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42344 Data

JSON

Labring

What is CVE-2026-42344?

Affected Version(s)

References

CVSS V3.1

Timeline