Skip to main content

FastGPT CVE-2026-61646

| EUVDEUVD-2026-44678 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-15 GitHub_M
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-accessible redirect abuse requires only authenticated workflow user (PR:L); scope changes (S:C) to internal/metadata systems yield high confidentiality impact (C:H) with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:31 vuln.today
Analysis Generated
Jul 15, 2026 - 15:31 vuln.today
CVE Published
Jul 15, 2026 - 14:32 cve.org
MEDIUM 6.3

DescriptionCVE.org

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta5, FastGPT's shared SSRF guard validates only the initial request URL before handing the request to axios, and axios follows redirects by default. An authenticated workflow user can configure an HTTP request node to call an attacker-controlled public URL that redirects to cloud metadata, loopback, or internal services that the guard would block on direct request, and the HTTP node returns the response body to the workflow caller. This issue is fixed in version 4.15.0-beta5.

AnalysisAI

SSRF guard bypass in FastGPT prior to 4.15.0-beta5 enables authenticated workflow users to reach cloud metadata endpoints, loopback interfaces, and internal network services that the guard would otherwise block on direct request. The HTTP request workflow node submits the initial URL to the SSRF guard for validation, but then hands the request to axios, which follows HTTP redirects by default without re-triggering the guard - allowing an attacker-controlled redirect server to pivot the request to any internal target. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as FastGPT workflow user
Delivery
Configure HTTP request node with attacker-controlled redirect URL
Exploit
Trigger workflow execution
Install
FastGPT SSRF guard approves initial external URL
C2
Axios follows redirect to internal/metadata target, bypassing guard
Execute
Internal service response body returned to workflow output
Impact
Attacker reads exfiltrated data (credentials, internal API responses)

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated FastGPT user account with permission to create or modify HTTP request workflow nodes - anonymous access cannot trigger this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.3 (AV:N/AC:L/AT:N/PR:L/UI:N/SC:H/SI:N/SA:N) accurately reflects the attack surface but understates practical impact in cloud deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated FastGPT user with workflow access creates an HTTP request node targeting an attacker-controlled server (e.g., attacker.example.com/redirect) that responds with an HTTP 302 redirect to http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole. The FastGPT SSRF guard approves the initial external URL, axios transparently follows the redirect to the metadata endpoint, and the JSON credential response - containing an AWS AccessKeyId, SecretAccessKey, and SessionToken - is returned in the workflow execution output accessible to the attacker. …
Remediation Upgrade FastGPT to version 4.15.0-beta5 or later by updating container images to fastgpt-app:v4.15.0-beta5, fastgpt-pro:v4.15.0-beta5, and fastgpt-plugin:v1.0.0-beta5 as documented at https://github.com/labring/FastGPT/releases/tag/v4.15.0-beta5. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-52552 MEDIUM POC
6.1 Jun 21

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t

CVE-2026-34162 CRITICAL
10.0 Mar 31

Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi

CVE-2026-42302 CRITICAL
9.8 May 08

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of

CVE-2026-40351 CRITICAL
9.8 Apr 17

NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con

CVE-2026-50562 CRITICAL
9.3 Jul 15

GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request

CVE-2026-40352 HIGH
8.8 Apr 17

NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on th

CVE-2026-61684 HIGH
8.8 Jul 15

Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi

CVE-2026-55418 HIGH
8.6 Jul 07

Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by

CVE-2026-54607 HIGH
7.7 Jul 07

Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI

CVE-2026-44285 HIGH
7.7 May 29

Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'

CVE-2026-42345 HIGH
7.7 May 08

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa

CVE-2026-61644 HIGH
7.7 Jul 15

Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tena

Share

CVE-2026-61646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy