Skip to main content

FastGPT EUVDEUVD-2026-42116

| CVE-2026-54607 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-07 GitHub_M
7.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable importer abused by an authenticated team member (PR:L), no interaction; SSRF reaches other systems (S:C) to disclose data (C:H) with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 07, 2026 - 23:01 EUVD
Analysis Generated
Jul 07, 2026 - 22:05 vuln.today

DescriptionCVE.org

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, whose remote reference resolver fetches $ref URLs without FastGPT's internal-address guard and returns fetched content inline, allowing an authenticated team member to read internal services or cloud metadata. This issue is fixed in version 4.15.0-beta4.

AnalysisAI

Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI schema importer to reach internal-only services and cloud instance metadata. Because the importer only validates the top-level URL and then hands the document to SwaggerParser.bundle, whose $ref resolver fetches remote references without FastGPT's internal-address guard, fetched content is returned inline to the caller. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as team member
Delivery
Create HTTP tool with crafted OpenAPI schema
Exploit
Top-level URL passes SSRF guard
Execution
SwaggerParser resolves malicious $ref internally
Persist
Fetch cloud metadata or internal service
Impact
Read credentials returned inline

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated FastGPT team member account (CVSS PR:L) with access to the HTTP-tool feature, and the specific prerequisite that the target instance uses the OpenAPI/Swagger schema importer path that calls SwaggerParser.bundle on user-supplied schemas. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N = 7.7 High) is internally consistent with the description: network-reachable, low complexity, requires low privilege (an authenticated team member), no user interaction, scope change (the app reaches systems it should not), and high confidentiality impact with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated FastGPT team member creates an HTTP tool and supplies an OpenAPI schema whose top-level URL points to an attacker-controlled host that passes FastGPT's guard, but which contains a $ref pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/ or an internal service. When FastGPT bundles the schema, SwaggerParser resolves that $ref without the internal-address guard and returns the cloud IAM credentials or internal response inline to the user. …
Remediation Vendor-released patch: 4.15.0-beta4 - upgrade FastGPT to 4.15.0-beta4 (or later) as described in advisory GHSA-72hf-5382-2mq9 (https://github.com/labring/FastGPT/security/advisories/GHSA-72hf-5382-2mq9); note this is a beta tag, so validate in staging before production rollout. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all FastGPT installations, note current versions, and inventory authenticated users with HTTP-tool access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-52552 MEDIUM POC
6.1 Jun 21

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t

CVE-2026-34162 CRITICAL
10.0 Mar 31

Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi

CVE-2026-42302 CRITICAL
9.8 May 08

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of

CVE-2026-40351 CRITICAL
9.8 Apr 17

NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con

CVE-2026-50562 CRITICAL
9.3 Jul 15

GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request

CVE-2026-40352 HIGH
8.8 Apr 17

NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on th

CVE-2026-61684 HIGH
8.8 Jul 15

Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi

CVE-2026-55418 HIGH
8.6 Jul 07

Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by

CVE-2026-44285 HIGH
7.7 May 29

Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'

CVE-2026-42345 HIGH
7.7 May 08

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa

CVE-2026-61644 HIGH
7.7 Jul 15

Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tena

CVE-2026-54602 HIGH
7.1 Jul 07

Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM inter

Share

EUVD-2026-42116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy