CVE-2026-34162
Unauthenticated HTTP Proxy Exposure in FastGPT Before
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastgpt | fastgpt | to 4.14.9.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34162 is a critical vulnerability in FastGPT versions up to 4.14.8.3 caused by an unauthenticated Server-Side Request Forgery (SSRF) via the /api/core/app/httpTools/runTool endpoint.
This endpoint acts as a full HTTP proxy that accepts user-supplied parameters such as baseUrl, toolPath, HTTP method, custom headers, and body, then makes server-side HTTP requests and returns the full response to the caller without any authentication or access control.
Because there is no authentication middleware protecting this endpoint, unauthenticated attackers can exploit it to send arbitrary HTTP requests from the server, effectively proxying requests to internal services.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers with network access to FastGPT to perform several malicious actions including:
- Stealing third-party API keys (e.g., OpenAI, DeepSeek, Anthropic) by querying internal AI Proxy management APIs using default admin tokens.
- Accessing internal services within the Docker Compose network such as MongoDB, Redis, PostgreSQL, MinIO, and FastGPT internal APIs.
- Extracting sensitive data like MongoDB diagnostic information and user verification codes.
- Sending arbitrary HTTP requests with custom headers, enabling authentication bypass to internal services.
- Potentially accessing cloud metadata services (e.g., http://169.254.169.254) to steal IAM credentials in cloud deployments.
Overall, this vulnerability can lead to full compromise of internal FastGPT infrastructure, theft of sensitive API keys, unauthorized access to internal services, and escalation of attacks within the internal network, posing severe security and financial risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the FastGPT instance exposes the `/api/core/app/httpTools/runTool` endpoint without authentication and if it allows proxying arbitrary HTTP requests.
You can test the vulnerability by sending crafted HTTP requests to the endpoint to see if it proxies requests to internal services such as MongoDB, AI Proxy APIs, or cloud metadata services.
- Send a POST request to the vulnerable endpoint with `baseUrl` set to an internal MongoDB address and check for MongoDB diagnostic messages in the response.
- Query the AI Proxy `/api/channels` endpoint via the vulnerable proxy with default admin tokens in headers to see if API keys are returned.
- Probe internal FastGPT APIs for user verification codes or health status endpoints to confirm unauthorized access.
Example curl command to test MongoDB internal access via the vulnerable endpoint:
- curl -X POST 'http://<fastgpt-host>/api/core/app/httpTools/runTool' -H 'Content-Type: application/json' -d '{"baseUrl":"http://<internal-mongodb-ip>:27017","toolPath":"/","method":"POST"}'
Replace `<fastgpt-host>` with your FastGPT server address and `<internal-mongodb-ip>` with the internal MongoDB IP address.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access sensitive internal services and data, including API keys, user verification codes, and diagnostic information. Such unauthorized access and potential data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Specifically, the ability to steal API keys and access internal databases without authentication indicates a failure in access control and data security measures, which are fundamental requirements under these regulations.
Therefore, exploitation of this vulnerability could result in non-compliance with standards mandating confidentiality, integrity, and availability of sensitive data.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade FastGPT to version 4.14.9.5 or later, where the vulnerability is patched.
- Add authentication middleware to the `/api/core/app/httpTools/runTool` endpoint to prevent unauthenticated access.
- Implement SSRF protections by blocking requests to internal IP ranges or addresses from this endpoint.
- Change default AI Proxy `ADMIN_KEY` from weak defaults to strong, random values.
- Enforce network segmentation to restrict FastGPT containers from accessing internal management APIs directly.