EUVD-2026-17447CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Description
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.
Analysis
Server-Side Request Forgery (SSRF) in FastGPT's Model Context Protocol (MCP) tools endpoints allows authenticated attackers to probe internal networks, access cloud metadata services (e.g., AWS/GCP instance credentials), and interact with backend databases like MongoDB and Redis. Affects FastGPT versions prior to 4.14.9.5. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all FastGPT deployments and their current versions; disable or restrict access to MCP tools endpoints if running versions prior to 4.14.9.5. Within 7 days: Upgrade FastGPT to version 4.14.9.5 or later in a controlled test environment and validate functionality before production deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today