CVE-2026-44284: CWE-918: Server-Side Request Forgery (SSRF) in labring FastGPT
CVE-2026-44284 is a Server-Side Request Forgery (SSRF) vulnerability in labring FastGPT versions prior to 4. 14. 17. The issue arises from inconsistent SSRF protections in the MCP tool URL handling, where certain endpoints allowed storing internal URLs without proper validation. An authenticated user with permissions to manage MCP toolsets could exploit this to cause the backend workflow runner to connect to internal endpoints. This vulnerability has been addressed in version 4. 14. 17. The CVSS score is 6. 3, indicating a medium severity level.
AI Analysis
Technical Summary
FastGPT, an AI Agent building platform by labring, had an SSRF vulnerability (CWE-918) in versions before 4.14.17. While direct MCP preview/run endpoints rejected internal/private network URLs, the MCP tool create/update endpoints did not validate URLs properly and could store internal MCP server URLs. These stored URLs could later be used during workflow execution without revalidation, allowing an authenticated user with appropriate permissions to trigger backend connections to internal endpoints such as http://localhost:3000/mcp. This inconsistent validation gap was patched in version 4.14.17.
Potential Impact
An authenticated user with permission to create or manage MCP toolsets could exploit this vulnerability to make the FastGPT backend connect to internal network resources. This could potentially lead to unauthorized access or information disclosure from internal services. The impact includes limited confidentiality, integrity, and availability consequences as reflected by the CVSS vector (C:L/I:L/A:L). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade FastGPT to version 4.14.17 or later, where this SSRF vulnerability has been patched. Since this is not a cloud service, remediation depends on applying the official fix by updating the software. Patch status is not explicitly stated in the vendor advisory, but the description confirms the issue is fixed in 4.14.17. Until upgraded, restrict permissions to create or manage MCP toolsets to trusted users only.
CVE-2026-44284: CWE-918: Server-Side Request Forgery (SSRF) in labring FastGPT
Description
CVE-2026-44284 is a Server-Side Request Forgery (SSRF) vulnerability in labring FastGPT versions prior to 4. 14. 17. The issue arises from inconsistent SSRF protections in the MCP tool URL handling, where certain endpoints allowed storing internal URLs without proper validation. An authenticated user with permissions to manage MCP toolsets could exploit this to cause the backend workflow runner to connect to internal endpoints. This vulnerability has been addressed in version 4. 14. 17. The CVSS score is 6. 3, indicating a medium severity level.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FastGPT, an AI Agent building platform by labring, had an SSRF vulnerability (CWE-918) in versions before 4.14.17. While direct MCP preview/run endpoints rejected internal/private network URLs, the MCP tool create/update endpoints did not validate URLs properly and could store internal MCP server URLs. These stored URLs could later be used during workflow execution without revalidation, allowing an authenticated user with appropriate permissions to trigger backend connections to internal endpoints such as http://localhost:3000/mcp. This inconsistent validation gap was patched in version 4.14.17.
Potential Impact
An authenticated user with permission to create or manage MCP toolsets could exploit this vulnerability to make the FastGPT backend connect to internal network resources. This could potentially lead to unauthorized access or information disclosure from internal services. The impact includes limited confidentiality, integrity, and availability consequences as reflected by the CVSS vector (C:L/I:L/A:L). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade FastGPT to version 4.14.17 or later, where this SSRF vulnerability has been patched. Since this is not a cloud service, remediation depends on applying the official fix by updating the software. Patch status is not explicitly stated in the vendor advisory, but the description confirms the issue is fixed in 4.14.17. Until upgraded, restrict permissions to create or manage MCP toolsets to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T17:39:31.112Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe61e5cbff5d8610367fb8
Added to database: 5/8/2026, 10:21:25 PM
Last enriched: 5/8/2026, 10:36:49 PM
Last updated: 5/9/2026, 1:22:37 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.