Executive Summary

CVE-2026-34163 is a Server-Side Request Forgery (SSRF) vulnerability in FastGPT versions prior to 4.14.9.5, specifically affecting the MCP (Model Context Protocol) tools endpoints `/api/core/app/mcpTools/getTools` and `/api/core/app/mcpTools/runTool`.

These endpoints accept a user-supplied URL parameter and make server-side HTTP requests to that URL without validating whether the URL points to an internal or private network address. Unlike other parts of the application that use an `isInternalAddress()` function to block internal/private URLs, these MCP tools endpoints do not perform such validation.

An authenticated attacker with any user role can exploit this by supplying URLs that point to internal services such as Redis, MongoDB, or cloud metadata services. This allows the attacker to scan internal networks, enumerate services and open ports, and potentially access sensitive internal data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• Internal network reconnaissance and enumeration of services and open ports.
• Potential unauthorized access to cloud instance metadata services, which can lead to credential theft on cloud platforms such as AWS, GCP, or Azure.
• Interaction with internal services like MongoDB and Redis, possibly exposing sensitive data.
• Data exfiltration through responses or error messages returned by internal services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for authenticated POST requests to the vulnerable MCP tool endpoints `/api/core/app/mcpTools/getTools` and `/api/core/app/mcpTools/runTool` that include user-supplied URL parameters pointing to internal or private network addresses.

An attacker exploiting this vulnerability typically sends POST requests with URLs targeting internal services such as Redis (e.g., http://redis:6379/), MongoDB (e.g., http://mongo:27017/), or cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). Different error messages returned by the server can indicate the presence and status of these internal services.

To detect exploitation attempts, you can search your web server or application logs for authenticated POST requests to these endpoints containing suspicious internal IP addresses or hostnames in the URL parameter.

Example commands to detect such activity might include:

• Using grep to find suspicious POST requests in logs: `grep -E 'POST /api/core/app/mcpTools/(getTools|runTool)' /var/log/fastgpt/access.log | grep -E '169\.254\.169\.254|redis|mongo|127\.0\.0\.1|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.'`
• Using network monitoring tools to detect outbound HTTP requests from the FastGPT server to internal IP ranges or cloud metadata IPs.
• Checking application logs for error messages such as "other side closed" or "Invalid content type" returned from these endpoints, which indicate attempts to connect to internal services.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading FastGPT to version 4.14.9.5 or later, where the vulnerability has been patched by adding internal address validation and authentication enforcement on the MCP tool endpoints.

If upgrading immediately is not possible, consider the following interim measures:

• Restrict access to the vulnerable endpoints `/api/core/app/mcpTools/getTools` and `/api/core/app/mcpTools/runTool` to trusted users only, ensuring that only authenticated and authorized users can access them.
• Implement network-level controls such as firewall rules or network policies to block outbound HTTP requests from the FastGPT server to internal/private IP ranges and cloud metadata service IPs (e.g., 169.254.169.254).
• Review and apply the patches described in the FastGPT project that add `isInternalAddress()` validation to reject requests targeting internal addresses and enforce authentication on HTTP tool execution endpoints.

These steps collectively reduce the risk of SSRF exploitation by preventing unauthorized internal network scanning and access.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-34163 is a Server-Side Request Forgery (SSRF) vulnerability in FastGPT that allows authenticated attackers to perform internal network reconnaissance, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This can lead to unauthorized access to sensitive internal resources and potential data exfiltration.

Such unauthorized access and potential data exposure could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health data, secure network boundaries, and prevention of unauthorized data access or disclosure.

Specifically, the vulnerability could lead to exposure of sensitive data or credentials stored in internal services or cloud metadata, which may violate data protection requirements and increase risk of data breaches.

Mitigations such as internal address validation, authentication enforcement, and network-level controls help reduce these risks and support compliance efforts by preventing unauthorized internal network access.

Useful 0 Not Useful 0