Server-Side Request Forgery Vulnerability in FastGPT by Labring
CVE-2026-44285

7.7HIGH

Key Information:

Vendor: Labring
Status: Fastgpt
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-44285?

FastGPT, an AI Agent building platform by Labring, has a vulnerability that allows an authenticated attacker to exploit a Server-Side Request Forgery (SSRF) flaw. This vulnerability occurs in the dataset preview endpoint, specifically in the /api/core/dataset/file/getPreviewChunks function. An attacker can bypass the global isInternalAddress network protections, enabling unauthorized access to internal network services by making arbitrary HTTP GET requests. The issue arises from an incomplete fix related to the externalFile data import type. The vulnerability is remedied in version 4.15.0-beta1.

Affected Version(s)

FastGPT < 4.15.0-beta1

References

https://github.com/labring/FastGPT/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44285 Data

JSON