CVE-2026-34162

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.14.9.5

Description FastGPT is an AI Agent building platform. The HTTP tools testing endpoint ('/api/core/app/httpTools/runTool') was exposed without authentication in versions prior to 4.14.9.5. This endpoint functions as a full HTTP proxy, accepting a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then making a server-side HTTP request and returning the complete response. This allows an unauthenticated attacker to potentially exfiltrate API tokens, access internal services, and send arbitrary HTTP requests. This issue enables a Server-Side Request Forgery (SSRF) condition, potentially leading to Remote Code Execution (RCE).

Recommendations Update FastGPT to version 4.14.9.5 or later.