What is the CVSS score of CVE-2026-34163?

CVE-2026-34163 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Redis are affected by CVE-2026-34163?

FastGPT versions prior to 4.14.9.5 contain a Server-Side Request Forgery vulnerability in Model Context Protocol tools that allows authenticated users to access internal networks, cloud credential…. A patch is available.

Redis CVE-2026-34163

EUVD-2026-17447 HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-03-31 GitHub_M

SSRF Redis

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:10 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

4.14.9.5

EUVD ID Assigned

Mar 31, 2026 - 14:30 euvd

EUVD-2026-17447

Analysis Generated

Mar 31, 2026 - 14:30 vuln.today

CVE Published

Mar 31, 2026 - 13:43 nvd

HIGH 7.7

DescriptionNVD

FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether the URL points to an internal/private network address. Although the application has a dedicated isInternalAddress() function for SSRF protection (used in other endpoints like the HTTP workflow node), the MCP tools endpoints do not call this function. An authenticated attacker can use these endpoints to scan internal networks, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This issue has been patched in version 4.14.9.5.

AnalysisAI

Server-Side Request Forgery (SSRF) in FastGPT's Model Context Protocol (MCP) tools endpoints allows authenticated attackers to probe internal networks, access cloud metadata services (e.g., AWS/GCP instance credentials), and interact with backend databases like MongoDB and Redis. Affects FastGPT versions prior to 4.14.9.5. …

RemediationAI

Within 24 hours: Identify all FastGPT instances and document current versions in use. Within 7 days: Upgrade all FastGPT deployments to version 4.14.9.5 or later per vendor advisory; restrict network access from FastGPT servers to internal services and cloud metadata endpoints during upgrade window. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-34163 vulnerability details – vuln.today

Back

Redis CVE-2026-34163

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code