Unauthenticated Server-Side Request Forgery in FastGPT by Labring
CVE-2026-44286

2.3LOW

Key Information:

Vendor: Labring
Status: Fastgpt
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-44286?

FastGPT, an AI Agent building platform by Labring, has a vulnerability that allows unauthenticated users to exploit an SSRF weakness prior to version 4.14.17. This flaw enables attackers, or authenticated users with app editing privileges, to send arbitrary HTTP requests to internal network addresses by bypassing the internal network blocklist guard. The issue stems from the use of the fetchData function in the lafModule workflow node, which fails to validate user-controlled URLs properly. Users are encouraged to upgrade to version 4.14.17, where this vulnerability has been addressed.

Affected Version(s)

FastGPT < 4.14.17

References

https://github.com/labring/FastGPT/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/labring/FastGPT/releases/tag/v4.14.17

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44286 Data

JSON