CVE-2026-34162

CRITICAL NVD

CVSS Score 10

Severity CRITICAL

Published Mar 31, 2026

Vendor unknown

Description

FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.

References

https://github.com/labring/FastGPT/commit/bc7eae2ed61481a5e322208829be291faec58c00
https://github.com/labring/FastGPT/pull/6640
https://github.com/labring/FastGPT/releases/tag/v4.14.9.5
https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj
https://github.com/labring/FastGPT/security/advisories/GHSA-w36r-f268-pwrj