CVE-2026-40100

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.14.10.3

Description FastGPT, an AI Agent building platform, allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) against internal network resources. The /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The isInternalAddress() function's internal IP check only functions when CHECK INTERNAL IP is set to true, which is not the default configuration.

Recommendations Update to version 4.14.10.3 or later.