{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34163", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T20:12:04.197Z", "datePublished": "2026-03-31T13:43:11.068Z", "dateUpdated": "2026-03-31T15:37:59.791Z"}, "containers": {"cna": {"title": "Server-Side Request Forgery via MCP Tools Endpoint in FastGPT", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv"}, {"name": "https://github.com/labring/FastGPT/pull/6640", "tags": ["x_refsource_MISC"], "url": "https://github.com/labring/FastGPT/pull/6640"}, {"name": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00", "tags": ["x_refsource_MISC"], "url": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00"}, {"name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"}], "affected": [{"vendor": "labring", "product": "FastGPT", "versions": [{"version": "< 4.14.9.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T13:43:11.068Z"}, "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5."}], "source": {"advisory": "GHSA-x9vj-5m4j-9mfv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:37:50.933430Z", "id": "CVE-2026-34163", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:37:59.791Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34163", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T15:37:50.933430Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:37:55.690Z"}}], "cna": {"title": "Server-Side Request Forgery via MCP Tools Endpoint in FastGPT", "source": {"advisory": "GHSA-x9vj-5m4j-9mfv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "labring", "product": "FastGPT", "versions": [{"status": "affected", "version": "< 4.14.9.5"}]}], "references": [{"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv", "name": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/labring/FastGPT/pull/6640", "name": "https://github.com/labring/FastGPT/pull/6640", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00", "name": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5", "name": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T13:43:11.068Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34163", "state": "PUBLISHED", "dateUpdated": "2026-03-31T15:37:59.791Z", "dateReserved": "2026-03-25T20:12:04.197Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T13:43:11.068Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE20269A-5497-4727-B3DD-3EDC1E1F234E", "versionEndExcluding": "4.14.9.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5."}], "id": "CVE-2026-34163", "lastModified": "2026-04-01T18:28:47.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T15:16:17.170", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/labring/FastGPT/pull/6640"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/labring/FastGPT/releases/tag/v4.14.9.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-x9vj-5m4j-9mfv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.14.9.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FastGPT", "source": "cna", "vendor": "labring"}, "product": "fastgpt", "vendor": "labring"}], "analysis": {"en": {"generated_at": "2026-04-02T04:55:43.216269+00:00", "value": {"mitigation_remediation": ["Apply the latest FastGPT release (v4.14.9.5 or newer) to eliminate the SSRF flaw.", "Limit access to the MCP tools endpoints to trusted network segments or authenticated service accounts to reduce exposure.", "Configure outbound firewall rules to block requests to private IP ranges from the FastGPT server.", "Ensure that internal URL validation is enforced in any custom MCP tooling or future extensions."], "summary": {"action": "Immediate Patch", "impact": "Internal network exposure via SSRF"}, "threat_synthesis": {"affected_systems": "FastGPT, published by labring, is vulnerable in all released versions before version 4.14.9.5. The issue affects the MCP tools endpoints of the application and applies to any deployment that exposes these routes, regardless of environment. There are no known variations in other products or modules.", "description_and_impact": "FastGPT's MCP tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user\u2011supplied URL and perform an HTTP call from the server without validating that the address is external. The isInternalAddress() check that protects other endpoints is omitted, allowing an attacker to point the request at any host. Because the calls are made from the application server, a malicious actor can reach internal services such as MongoDB, Redis, or cloud metadata endpoints. This behaviour permits scanning of local network topology, credential disclosure, and the potential for further lateral movement, which aligns with CWE\u2011918.", "risk_and_exploitability": "With a CVSS base score of 7.7, the flaw is considered high severity. The EPSS score below 1% and absence from the CISA KEV catalog suggest a low chance of widespread exploitation at this time. An attacker with valid credentials to the MCP tools endpoints can supply any target URL and trigger internal HTTP requests. The absence of internal address validation makes exploitation trivial once authenticated, enabling network probing and possible data exfiltration."}}}}, "created": "2026-03-31T19:54:43.470123+00:00", "updated": "2026-04-02T07:53:19.274316+00:00", "vendors": ["labring", "labring$PRODUCT$fastgpt"]}