Cyber Posture

CVE-2026-34162

CriticalPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0016 37.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method,…

more

custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Directly requires organizations to identify and restrict critical actions performable without authentication, addressing the exposure of the unauthenticated HTTP proxy endpoint.

AC-3 Access Enforcement good match
prevent

Mandates enforcement of approved access authorizations, preventing unauthorized access to the vulnerable HTTP tools testing endpoint.

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs such as user-supplied baseUrl, toolPath, headers, and body to block SSRF exploitation via the proxy.

Security SummaryAI

CVE-2026-34162 is a critical vulnerability (CVSS 10.0; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L) in FastGPT, an AI Agent building platform, affecting versions prior to 4.14.9.5. The issue stems from the HTTP tools testing endpoint (/api/core/app/httpTools/runTool) being exposed without authentication, functioning as a full HTTP proxy. It accepts user-supplied parameters including baseUrl, toolPath, HTTP method, custom headers, and body, then issues a server-side HTTP request and returns the complete response to the caller. The vulnerability is linked to CWE-306 (Missing Authentication for Critical Function) and CWE-918 (Server-Side Request Forgery).

Any unauthenticated attacker with network access can exploit this endpoint remotely with low complexity and no user interaction required. Exploitation enables arbitrary server-side HTTP requests under the authority of the FastGPT server, potentially allowing high-impact confidentiality and integrity violations due to the proxy's flexibility in methods, headers, and payloads, with a changed scope amplifying effects.

The vulnerability has been patched in FastGPT version 4.14.9.5. Official mitigation guidance from GitHub security advisories (GHSA-w36r-f268-pwrj) recommends upgrading to this version, with the fix implemented via commit bc7eae2ed61481a5e322208829be291faec58c00 and pull request #6640, as detailed in the release notes.

Details

CWE(s)
CWE-306CWE-918

Affected Products

fastgpt
fastgpt
≤ 4.14.9.5

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: ai

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1090.001 Internal Proxy Command And Control
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
Why these techniques?

Unauthenticated SSRF in public-facing HTTP proxy endpoint directly enables exploitation of public-facing application (T1190), use as internal proxy for pivoting (T1090.001), and probing internal network services via arbitrary HTTP requests (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References