Vulnerability in FastGPT AI Platform by LabRing
CVE-2026-42345

7.7HIGH

Key Information:

Vendor: Labring
Status: Fastgpt
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42345?

The FastGPT platform, utilized for AI agent creation, is vulnerable due to insufficient validation in its isInternalAddress() function. This function, intended to block access to crucial cloud metadata endpoints, can be circumvented using multiple URL encoding techniques. These techniques can evade the static blocklist checks, allowing unauthorized access to the metadata services. Moreover, the default configuration disables essential checks for private IP addresses, compounding the issue. As of now, no patches are available, leaving users exposed to potential exploitation.

Affected Version(s)

FastGPT <= 4.14.11

References

https://github.com/labring/FastGPT/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42345 Data

JSON

Labring

What is CVE-2026-42345?

Affected Version(s)

References

CVSS V3.1

Timeline