CVE-2026-44285

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.15.0-beta1

Description An authenticated attacker can bypass the global isInternalAddress network protection to make arbitrary HTTP GET requests to internal network services. This occurs due to an incomplete fix in the dataset preview endpoint "/api/core/dataset/file/getPreviewChunks" when the externalFile data import type is used. This is a Server-Side Request Forgery (SSRF), which is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.

Recommendations Update to version 4.15.0-beta1.