The vulnerability CVE-2026-34163 affects labring's FastGPT AI Agent building platform, specifically versions before 4.14.9.5. FastGPT includes MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) that accept a URL parameter from authenticated users. These endpoints perform server-side HTTP requests to the supplied URLs without validating whether the destination is an internal or private network address. Although FastGPT has an isInternalAddress() function designed to prevent SSRF attacks by blocking requests to internal IP ranges, this function is not invoked by the MCP tools endpoints, creating a security gap. An attacker with valid credentials can exploit this to conduct internal network reconnaissance, access cloud provider metadata services (which often contain sensitive credentials and configuration data), and interact with internal services such as MongoDB and Redis databases that are typically not exposed externally. This can lead to information disclosure and potential further compromise within the victim’s infrastructure. The vulnerability does not require user interaction beyond authentication and has a CVSS 3.1 base score of 7.7 (high severity), with network attack vector, low attack complexity, and no user interaction required. The scope is changed because internal resources can be accessed that were previously out of reach. The vulnerability was publicly disclosed on March 31, 2026, and has been patched in FastGPT version 4.14.9.5. No known exploits in the wild have been reported yet.

The impact of CVE-2026-34163 is significant for organizations using vulnerable versions of FastGPT. Successful exploitation allows authenticated attackers to bypass network segmentation and access internal resources that should be protected, including cloud metadata services that can expose credentials and tokens. This can lead to unauthorized access to sensitive data, lateral movement within the network, and potential compromise of critical backend services such as MongoDB and Redis databases. The ability to scan internal networks also aids attackers in mapping the internal environment for further attacks. Since FastGPT is an AI agent platform, organizations relying on it for automation and AI workflows may face disruption or data leakage. The vulnerability’s exploitation could facilitate broader attacks against cloud infrastructure and internal services, increasing the risk of data breaches and operational impact. The requirement for authentication limits exposure somewhat but does not eliminate risk, especially in environments with weak credential management or insider threats.

Organizations should immediately upgrade FastGPT to version 4.14.9.5 or later, where the vulnerability has been patched by enforcing proper SSRF protections on the MCP tools endpoints. In addition to patching, organizations should implement strict access controls and monitoring on FastGPT instances to detect unusual internal network requests. Network segmentation and firewall rules should restrict FastGPT servers from making unauthorized outbound requests to sensitive internal IP ranges and cloud metadata endpoints. Employing Web Application Firewalls (WAFs) with SSRF detection rules can provide additional protection. Regularly audit and rotate credentials stored in cloud metadata services to minimize the impact of potential leaks. Limit FastGPT user privileges to the minimum necessary to reduce the risk of authenticated exploitation. Finally, conduct internal penetration testing and code reviews to identify similar SSRF weaknesses in custom or third-party components.