CVE-2026-44284
Received Received - Intake
SSRF Protection Bypass in FastGPT MCP Tool URLs

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44284
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastgpt fastgpt to 4.14.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FastGPT, an AI Agent building platform, prior to version 4.14.17. It involves an inconsistent Server-Side Request Forgery (SSRF) protection gap in the MCP tool URL handling. While some endpoints rejected internal or private network URLs, the create and update endpoints for MCP tools could still save internal URLs. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint URL, such as http://localhost:3000/mcp, which could later be used by the backend workflow runner to connect to that internal destination without revalidating the URL.

Impact Analysis

This vulnerability can allow an authenticated user with certain permissions to cause the FastGPT backend to connect to internal network endpoints that are normally inaccessible. This could lead to unauthorized access to internal services, potential data leakage, or exploitation of internal systems. The CVSS score of 6.3 indicates a medium severity with impacts on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade FastGPT to version 4.14.17 or later, where the SSRF protection gap has been patched.

Additionally, restrict permissions so that only trusted authenticated users can create or manage MCP toolsets, minimizing the risk of storing malicious internal URLs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart