CVE-2026-34163
SSRF Vulnerability in FastGPT MCP Tools Enables Internal Network Access
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastgpt | fastgpt | to 4.14.9.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34163 is a Server-Side Request Forgery (SSRF) vulnerability in FastGPT versions prior to 4.14.9.5, specifically affecting the MCP (Model Context Protocol) tools endpoints `/api/core/app/mcpTools/getTools` and `/api/core/app/mcpTools/runTool`.
These endpoints accept a user-supplied URL parameter and make server-side HTTP requests to that URL without validating whether the URL points to an internal or private network address. Unlike other parts of the application that use an `isInternalAddress()` function to block internal/private URLs, these MCP tools endpoints do not perform such validation.
An authenticated attacker with any user role can exploit this by supplying URLs that point to internal services such as Redis, MongoDB, or cloud metadata services. This allows the attacker to scan internal networks, enumerate services and open ports, and potentially access sensitive internal data.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Internal network reconnaissance and enumeration of services and open ports.
- Potential unauthorized access to cloud instance metadata services, which can lead to credential theft on cloud platforms such as AWS, GCP, or Azure.
- Interaction with internal services like MongoDB and Redis, possibly exposing sensitive data.
- Data exfiltration through responses or error messages returned by internal services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for authenticated POST requests to the vulnerable MCP tool endpoints `/api/core/app/mcpTools/getTools` and `/api/core/app/mcpTools/runTool` that include user-supplied URL parameters pointing to internal or private network addresses.
An attacker exploiting this vulnerability typically sends POST requests with URLs targeting internal services such as Redis (e.g., http://redis:6379/), MongoDB (e.g., http://mongo:27017/), or cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/). Different error messages returned by the server can indicate the presence and status of these internal services.
To detect exploitation attempts, you can search your web server or application logs for authenticated POST requests to these endpoints containing suspicious internal IP addresses or hostnames in the URL parameter.
Example commands to detect such activity might include:
- Using grep to find suspicious POST requests in logs: `grep -E 'POST /api/core/app/mcpTools/(getTools|runTool)' /var/log/fastgpt/access.log | grep -E '169\.254\.169\.254|redis|mongo|127\.0\.0\.1|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.'`
- Using network monitoring tools to detect outbound HTTP requests from the FastGPT server to internal IP ranges or cloud metadata IPs.
- Checking application logs for error messages such as "other side closed" or "Invalid content type" returned from these endpoints, which indicate attempts to connect to internal services.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading FastGPT to version 4.14.9.5 or later, where the vulnerability has been patched by adding internal address validation and authentication enforcement on the MCP tool endpoints.
If upgrading immediately is not possible, consider the following interim measures:
- Restrict access to the vulnerable endpoints `/api/core/app/mcpTools/getTools` and `/api/core/app/mcpTools/runTool` to trusted users only, ensuring that only authenticated and authorized users can access them.
- Implement network-level controls such as firewall rules or network policies to block outbound HTTP requests from the FastGPT server to internal/private IP ranges and cloud metadata service IPs (e.g., 169.254.169.254).
- Review and apply the patches described in the FastGPT project that add `isInternalAddress()` validation to reject requests targeting internal addresses and enforce authentication on HTTP tool execution endpoints.
These steps collectively reduce the risk of SSRF exploitation by preventing unauthorized internal network scanning and access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34163 is a Server-Side Request Forgery (SSRF) vulnerability in FastGPT that allows authenticated attackers to perform internal network reconnaissance, access cloud metadata services, and interact with internal services such as MongoDB and Redis. This can lead to unauthorized access to sensitive internal resources and potential data exfiltration.
Such unauthorized access and potential data exposure could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health data, secure network boundaries, and prevention of unauthorized data access or disclosure.
Specifically, the vulnerability could lead to exposure of sensitive data or credentials stored in internal services or cloud metadata, which may violate data protection requirements and increase risk of data breaches.
Mitigations such as internal address validation, authentication enforcement, and network-level controls help reduce these risks and support compliance efforts by preventing unauthorized internal network access.