FastGPT AI Agent Platform Unauthenticated HTTP Proxy and MCP SSRF

Executive Summary

FastGPT, an AI agent-building platform maintained by labring, contains two server-side request forgery (SSRF) vulnerabilities with differing severity and privilege requirements. CVE-2026-34162 (CVSS 10.0 CRITICAL) exposes an HTTP tools testing endpoint without any authentication, allowing any unauthenticated caller on the internet to direct the FastGPT server to issue arbitrary outbound HTTP requests — effectively turning the server into an open HTTP proxy. CVE-2026-34163 (CVSS 7.7 HIGH) is a separate SSRF in the Model Context Protocol (MCP) tools endpoints; it accepts user-supplied URLs and issues server-side requests to internal network addresses without validation, but exploitation requires a low-privilege authenticated session. Both vulnerabilities are fixed in FastGPT version 4.14.9.5 (NVD). Organisations running internet-accessible FastGPT instances should treat this as a priority upgrade with no published workaround available short of patching or network-layer endpoint blocking.

Vulnerability Overview

Affected product: FastGPT (labring). NVD lists affected versions as prior to 4.14.9.5 (NVD versionEndExcluding). The vendor GHSAs (GHSA-w36r-f268-pwrj, GHSA-x9vj-5m4j-9mfv) list affected versions as < 4.14.8.3 (GHSA-w36r-f268-pwrj) and 4.14.8.3 with no patched version noted (GHSA-x9vj-5m4j-9mfv). The fix is in version 4.14.9.5; versions between 4.14.8.3 and 4.14.9.5 may not exist in the release chain.

Am I Affected?

• Confirm you are running labring FastGPT (not a third-party fork under a different name).
• Check your deployed version against the fix threshold: any version prior to 4.14.9.5 is affected.
• Confirm whether the FastGPT instance is network-accessible without an upstream authentication proxy. If the instance is directly internet-accessible, CVE-2026-34162 is exploitable by any unauthenticated caller without further preconditions.
• For CVE-2026-34163, confirm whether low-privilege user accounts can access MCP tool configuration. Any deployment with open user registration or multiple user accounts should assume the affected code path is reachable.

Technical Analysis — CVE-2026-34162 (Unauthenticated HTTP Proxy)

RAXE Assessment. The /api/core/app/httpTools/runTool endpoint is exposed without authentication controls (NVD). The endpoint accepts a caller-supplied target URL and issues an outbound HTTP request from the FastGPT server to that target, returning the response to the caller. Because no authentication is enforced and no URL validation restricts the target to safe external addresses, any unauthenticated network-reachable party can direct the server to issue arbitrary HTTP requests on their behalf.

The exploitation primitive is equivalent to an open HTTP proxy: the FastGPT server acts as a relay between the external attacker and any network address the server can reach. From a network-control perspective, server-originated traffic is frequently permitted to reach internal services that block external callers directly. The vulnerability therefore provides an unauthenticated path to:

• Enumerate internal services — cloud metadata endpoints (such as the IMDS link-local address at 169.254.169.254), internal APIs, and databases with HTTP interfaces accessible via RFC-1918 space from the FastGPT host.
• Exfiltrate data visible at those internal addresses via the response returned to the caller.
• Bypass network perimeter controls that restrict inbound external connections but permit server-originated outbound traffic to reach internal infrastructure.

NVD classifies this vulnerability under CWE-306 (Missing Authentication for Critical Function) and CWE-918 (Server-Side Request Forgery) (NVD). The CWE-306 classification is consistent with the hypothesis that this endpoint was a developer-facing testing utility inadvertently left accessible in production builds (see RAXE Assessment Notes).

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N — base score 10.0 CRITICAL (NVD).

The scope-changed (S:C) element reflects the attacker's ability to interact with network infrastructure beyond the FastGPT application boundary. Confidentiality and Integrity impacts are both rated HIGH; Availability is not in scope for this vector.

Technical Analysis — CVE-2026-34163 (Authenticated MCP SSRF)

RAXE Assessment. The Model Context Protocol (MCP) tools endpoints in FastGPT accept user-supplied URLs and issue server-side HTTP requests without validating whether the target URL resolves to an internal or private network address (NVD). Unlike CVE-2026-34162, exploitation of this vulnerability requires a low-privilege authenticated session.

A logged-in user with minimal permissions who can access MCP tool configuration can supply an internal address as the tool's endpoint URL. The FastGPT server will then issue an HTTP request to that address and return the response to the authenticated user. This enables:

• Internal network enumeration: mapping services accessible from the FastGPT host over RFC-1918, loopback, or link-local space.
• Exfiltration of cloud metadata endpoint data — environment credentials and instance identity — from the IMDS address if the FastGPT host is a cloud instance.
• Read access to internal HTTP-accessible services (administrative interfaces, internal APIs, databases) that are not intended to be reachable by application-layer users.

NVD classifies this vulnerability under CWE-918 (Server-Side Request Forgery) (NVD). The Integrity impact is rated N (not affected); this vulnerability provides read access but not write capability to the internal target services.

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N — base score 7.7 HIGH (NVD).

The scope-changed (S:C) element reflects the same cross-boundary reach as CVE-2026-34162. The PR:L (low privileges required) element is the primary factor distinguishing this score from the 10.0 rating of CVE-2026-34162.

CVSS Divergence Note

The metadata CVSS for RAXE-2026-047 is 10.0, corresponding to the primary vulnerability CVE-2026-34162. The secondary vulnerability CVE-2026-34163 carries a distinct CVSS score of 7.7 HIGH. CVE-2026-34162 has both an NVD Primary score (10.0) and a CNA-submitted score (10.0 per NVD record, displayed as 9.8 on GHSA page, from GitHub Security Advisories); the divergence is in the Availability metric (NVD: A:N vs CNA: A:L), both computing to CRITICAL severity. CVE-2026-34163 has both an NVD Primary score (7.7) and a CNA-submitted score (7.7) from GitHub Security Advisories, with identical vectors; no scoring divergence exists for this CVE. The GHSA for CVE-2026-34163 displays CVSS 7.5, differing from the NVD-recorded CNA score of 7.7. This advisory uses the NVD-recorded values throughout.

The divergence reflects a single factor: the authentication boundary. CVE-2026-34162 is pre-authentication (PR:N) — no credentials are required and the vulnerability is reachable by any unauthenticated caller. CVE-2026-34163 is post-authentication (PR:L) — a valid low-privilege session is required. Both share identical network attack vector (AV:N), low attack complexity (AC:L), no user interaction required (UI:N), scope changed (S:C), and high confidentiality impact (C:H). The integrity impact differs: CVE-2026-34162 carries I:H (the HTTP proxy can be used to send write-capable requests to internal services), whilst CVE-2026-34163 carries I:N (the MCP SSRF path provides read access only).

See above for score provenance detail. When discussing this finding, CVE-2026-34162 should be described as "critical" (CVSS 10.0) and CVE-2026-34163 as "high" (CVSS 7.7). The overall finding severity is determined by the higher-rated primary CVE.

Impact Assessment

The combined attack surface affects any organisation running a FastGPT instance prior to version 4.14.9.5.

Unauthenticated external attacker (CVE-2026-34162 only). Any party that can reach the FastGPT instance over the network can exploit the unauthenticated HTTP proxy endpoint without obtaining credentials. No prior foothold is required. Automated vulnerability scanners with no purpose-built exploit code are sufficient for initial exploitation given the CVSS PR:N / AC:L rating.

Authenticated attacker with a standard user account (CVE-2026-34163). A threat actor who has obtained any low-privilege account — through credential stuffing, phishing, or insider access — gains an independent SSRF path via MCP tooling. This path persists even in deployments where network controls or a reverse proxy block the unauthenticated endpoint of CVE-2026-34162.

Chained scenario (RAXE Assessment). An attacker beginning without credentials could use CVE-2026-34162 to enumerate and exfiltrate data from internal network resources accessible without authentication. If credentials are subsequently obtained — for example via cloud metadata credential exfiltration through the same unauthenticated proxy path — CVE-2026-34163 provides a second, independent SSRF vector targeting internal network resources through the authenticated MCP tools path. This chained scenario is a RAXE assessment based on the logical relationship between the two vulnerabilities; it has not been independently verified against a live instance (Access Tier T1, black-box assessment).

Exploitation Context

EPSS scores as of 2026-04-03 (sourced from FIRST.org EPSS):

Both CVEs carry low absolute EPSS scores despite vendor-published PoC code being available in both GHSAs (see below). Low EPSS scores should not be interpreted as reducing the urgency of remediation for CVE-2026-34162. EPSS measures probability of observed exploitation in the wild within 30 days; it does not measure ease of exploitation or PoC availability. The CVSS PR:N / AC:L / UI:N profile of CVE-2026-34162 means any party with network access to the endpoint and a standard HTTP client has a sufficient toolkit for exploitation — the vendor-published curl examples demonstrate this directly.

Both vendor advisories include detailed proof-of-concept sections. GHSA-w36r-f268-pwrj (CVE-2026-34162) provides curl-based PoC examples demonstrating unauthenticated access to internal MongoDB, API key exfiltration from the AI proxy service, and internal endpoint probing. GHSA-x9vj-5m4j-9mfv (CVE-2026-34163) provides curl and Burp Suite PoC examples demonstrating authenticated SSRF to Redis, MongoDB, and cloud metadata endpoints. The availability of vendor-published PoC code lowers the barrier to exploitation.

Key Assumption KA-3: No confirmed in-the-wild exploitation of either CVE as of 2026-04-03. This assumption is based on the absence of exploitation reports in NVD, CISA KEV, and monitored social media sources at the time of this publication.

Detection Guidance

Two detection rules are provided — one per CVE — reflecting the distinct authentication requirements and affected endpoints.

Sigma Rule 1 — CVE-2026-34162: Unauthenticated HTTP Proxy Endpoint Access

Detects HTTP requests to /api/core/app/httpTools/runTool without an authorisation header. Compatible with web server access logs, reverse proxy logs (NGINX, Apache, AWS ALB), and structured log sources capturing URI path and authorisation header fields.

title: FastGPT Unauthenticated HTTP Proxy Endpoint Access (CVE-2026-34162)
id: a3e7c1d2-4f85-4a6b-b3e1-9d02c8f6a701
status: experimental
description: >
  Detects HTTP requests to the FastGPT /api/core/app/httpTools/runTool endpoint
  without an authorisation header or session token. This endpoint is exposed without
  authentication in FastGPT versions prior to 4.14.9.5 and acts as an unrestricted
  open HTTP proxy (CVE-2026-34162, CVSS 10.0 CRITICAL, CWE-306 / CWE-918).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-34162
author: RAXE Intel Lab
date: 2026-04-03
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026-34162
logsource:
  category: webserver
  product: generic
detection:
  selection_endpoint:
    cs_uri_stem|contains: '/api/core/app/httpTools/runTool'
  filter_has_auth:
    cs_authorization|startswith:
      - 'Bearer '
      - 'Token '
  condition: selection_endpoint and not filter_has_auth
fields:
  - cs_uri_stem
  - cs_method
  - c_ip
  - sc_status
  - cs_authorization
  - cs_user_agent
falsepositives:
  - Developer testing in non-production environments without auth tokens
  - Automated health checks that omit auth headers
  - Log sources that do not capture authorisation headers (high FP volume without IP-based tuning)
level: critical

Sigma Rule 2 — CVE-2026-34163: Authenticated MCP SSRF to Internal Network

Detects requests to FastGPT MCP tool endpoints where the URI query string or request body contains an RFC-1918, loopback, or link-local IP address. Requires a log source that captures URI query strings or, ideally, parsed request bodies via a WAF or API gateway.

title: FastGPT Authenticated MCP SSRF Request to Internal Network Address (CVE-2026-34163)
id: b8f2d4e1-7c93-4b7a-a9e3-1c84d7b5f902
status: experimental
description: >
  Detects HTTP requests to FastGPT MCP tool endpoints where the request body or
  query parameters contain an internal or link-local IP address target, indicating
  a potential SSRF attempt. CVE-2026-34163 (CVSS 7.7 HIGH, CWE-918) affects FastGPT
  prior to 4.14.9.5. Exploitation requires a low-privilege authenticated session.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-34163
author: RAXE Intel Lab
date: 2026-04-03
tags:
  - attack.discovery
  - attack.t1590
  - attack.lateral_movement
  - attack.t1021
  - cve.2026-34163
logsource:
  category: webserver
  product: generic
detection:
  selection_mcp_endpoints:
    cs_uri_stem|contains:
      - '/api/core/app/mcpTools/'
      - '/api/core/app/mcp/'
      - '/api/support/mcp/'
  selection_internal_target:
    cs_uri_query|re: '(169\.254\.|10\.\d{1,3}\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|127\.\d|localhost|::1|fe80::)'
  condition: selection_mcp_endpoints and selection_internal_target
fields:
  - cs_uri_stem
  - cs_uri_query
  - cs_method
  - c_ip
  - sc_status
  - cs_authorization
  - cs_user_agent
falsepositives:
  - Legitimate internal testing with MCP tools pointed at internal test services
  - Monitoring health checks from internal address space
level: high

YARA Rules

Two YARA rules are provided for use against HTTP network traffic captures, access log archives, or WAF log exports.

fastgpt_unauth_proxy_endpoint (CVE-2026-34162) matches artifacts containing the vulnerable endpoint path combined with an internal IP address target in the same record, indicating active exploitation of the unauthenticated proxy.

fastgpt_mcp_ssrf_internal (CVE-2026-34163) matches artifacts containing an MCP endpoint path, an internal IP address target, and a URL-bearing JSON key — reducing false positives from log entries that mention MCP paths in non-request contexts.

Full YARA source: detection rules provided with this finding (fastgpt-ssrf.yar).

Operational Detection Notes

• Both Sigma rules are marked status: experimental. Review false positive rates in your environment before escalating to automated blocking actions.
• For CVE-2026-34162, prioritise detection of requests to /api/core/app/httpTools/runTool originating from external IP ranges. Internal health-check sources can be filtered by source IP to reduce noise.
• For CVE-2026-34163, detection efficacy depends on log sources that capture request body content. Web server access logs alone are often insufficient; a WAF or API gateway with body-logging enabled significantly improves coverage.
• After upgrading to FastGPT 4.14.9.5, leave the detection rules active for a transition period to identify any instances running legacy versions.

Remediation

Immediate (within 24 hours)

Upgrade FastGPT to version 4.14.9.5 or later. This is the only fully remediated state confirmed by NVD for both CVEs (NVD). No published workaround has been identified that addresses both vulnerabilities without patching.

Identify all internet-exposed FastGPT deployments. CVE-2026-34162 requires no credentials; any instance accessible from the internet is exploitable by any caller. Asset inventory should prioritise this exposure class.

Short-term (within one week)

Implement network segmentation for AI agent platform hosts. FastGPT and analogous platforms require outbound HTTP access for legitimate operation. That outbound access should be restricted to known external services via egress filtering or a forward proxy with an explicit allow-list, reducing the blast radius of any SSRF primitive — including any future vulnerabilities in the same class.

Audit the internal network surface reachable from the FastGPT host. Cloud metadata endpoints, internal APIs, and any service accessible to the FastGPT host over RFC-1918 space should be inventoried. Access controls on those services should not rely solely on network adjacency; they should require their own authentication even from internal callers.

Defence-in-depth for deployments unable to upgrade immediately. Placing the FastGPT instance behind a reverse proxy or API gateway that enforces authentication for all requests, including /api/core/app/httpTools/runTool, may reduce the immediate exploitability of CVE-2026-34162. This measure does not address CVE-2026-34163, which is post-authentication by design, and does not constitute a substitute for patching.

Ongoing

Apply this assessment pattern to other AI agent platform deployments. The vulnerability class — agent platform outbound-request functionality exposed without proper authentication or URL validation — is not unique to FastGPT. Any platform that enables users to configure HTTP tool endpoints should be evaluated against the same criteria: Is the endpoint protected by authentication appropriate to its exposure? Are user-supplied URLs validated against an allow-list or deny-list that blocks RFC-1918, loopback, and link-local targets? Is the platform reachable only from expected network sources?

Timeline

References

Appendix: RAXE Assessment Notes

Intelligence Tradecraft

Admiralty Grade: A2. Source reliability A: NVD is the authoritative US government vulnerability database operated by NIST. CVSS scores and CWE classifications are published by NIST analysts. Credibility 2: technical claims are independently confirmed via two NVD CVE records with consistent product, vendor, and version information. The initial signal source (@thehackerwire.bsky.social, Bluesky, grade D4) is treated as a corroborating indicator only; all material technical facts in this publication trace to NVD (NVD).

Access Tier: T1 (black-box). This assessment is based entirely on publicly available NVD data. No FastGPT instance was accessed during the preparation of this finding.

ACH — Competing Hypotheses

H1 (preferred): The unauthenticated /api/core/app/httpTools/runTool endpoint was a developer-facing testing utility inadvertently left accessible in production builds, consistent with the "runTool" naming convention and the CWE-306 (Missing Authentication for Critical Function) classification. This hypothesis is supported by the NVD advisory data (NVD).

H2 (alternative): The endpoint was intended to be protected by an upstream authentication proxy or deployment-time network control, and the vulnerability manifests specifically in deployment configurations that expose it directly without such controls.

Both hypotheses are consistent with the available evidence. Neither changes the remediation recommendation.

Key Assumptions (KAC)

KA-1 — Fix completeness: Version 4.14.9.5 fully remediates both CVEs. This assumption is based on NVD citing 4.14.9.5 as the fix version for both records (NVD). It has not been independently verified by source code diff or changelog review.

KA-2 — Endpoint accessibility: The CVSS 10.0 severity of CVE-2026-34162 assumes the FastGPT instance is accessible over the network without an authentication proxy. Deployments behind a reverse proxy enforcing authentication may reduce the effective exploitability of CVE-2026-34162 but do not address CVE-2026-34163.

KA-3 — No exploitation in the wild: No public evidence of active exploitation of either CVE existed at the time of publication (2026-04-03). This assumption is informed by low EPSS scores (FIRST.org EPSS) and absence of CVE entries in CISA KEV but could change rapidly given the low access barrier for CVE-2026-34162.

KA-4 — MCP endpoint exposure: The severity of CVE-2026-34163 assumes that low-privilege users have access to MCP tool configuration. Deployments with tightly restricted role assignments may reduce the number of accounts able to reach the vulnerable endpoint.

Broader Pattern Note

The vulnerability class disclosed here is not unique to FastGPT. AI agent platforms are architecturally designed to issue outbound HTTP requests — to call APIs, retrieve documents, and invoke tools — as a core function. When authentication and URL validation controls on those outbound-request facilities are absent or incomplete, the platform's own agentic capability becomes an exploitation primitive. Organisations evaluating or deploying AI agent platforms should assess outbound-request endpoints against three criteria: authentication appropriate to exposure, URL validation that blocks RFC-1918 and link-local targets, and network-layer controls that restrict who can reach the endpoint in the first place.