Plattform
redis
Komponente
redis-server
Behoben in
4.14.10
CVE-2026-34163 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in FastGPT, an AI Agent building platform. This vulnerability allows authenticated attackers to leverage the platform's MCP (Model Context Protocol) tools endpoints to initiate HTTP requests to internal network resources without proper validation. The issue affects versions prior to 4.14.9.5, and a patch is available.
The SSRF vulnerability in FastGPT's MCP tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) allows an authenticated attacker to bypass intended security controls. By crafting malicious URLs, an attacker can force the server to make requests to internal services or resources that are not directly accessible from the outside. This could lead to the exposure of sensitive data, unauthorized access to internal systems, or even the potential for further exploitation if internal services are vulnerable. The impact is amplified if the internal network contains critical infrastructure or sensitive data stores.
CVE-2026-34163 was publicly disclosed on 2026-03-31. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not yet widely available, but the SSRF nature of the vulnerability makes it likely that exploits will be developed. The EPSS score is likely to be medium, given the authentication requirement and the potential for significant impact if exploited.
Organizations deploying FastGPT for AI agent building, particularly those with internal services accessible from the application server, are at risk. Shared hosting environments where multiple users share the same FastGPT instance are also vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• linux / server:
journalctl -u fastgpt | grep -i "mcpTools"• generic web:
curl -I <fastgpt_url>/api/core/app/mcpTools/getTools?url=<internal_ip>• database (redis):
INFO serverReview the output for any unusual connections or requests originating from the MCP tools endpoints.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34163 is to upgrade FastGPT to version 4.14.9.5 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting network access to the MCP tools endpoints using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests to internal IP addresses or domains. Additionally, review and strengthen authentication mechanisms to limit the number of authenticated users with access to these endpoints. After upgrade, confirm the fix by attempting to trigger the SSRF vulnerability and verifying that the request is blocked.
Aktualisieren Sie FastGPT auf Version 4.14.9.5 oder höher. Diese Version behebt die SSRF-Schwachstelle in den MCP Tools-Endpunkten. Das Update verhindert, dass Angreifer interne Netzwerke erkunden oder auf interne Dienste zugreifen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34163 is a HIGH severity SSRF vulnerability affecting FastGPT versions before 4.14.9.5, allowing attackers to make unauthorized HTTP requests to internal networks via MCP tools endpoints.
If you are running FastGPT version 4.14.9.5 or earlier, you are potentially affected by this SSRF vulnerability. Assess your environment and upgrade as soon as possible.
Upgrade FastGPT to version 4.14.9.5 or later. As a temporary workaround, restrict network access to the MCP tools endpoints using a WAF or proxy server.
While there are no confirmed reports of active exploitation at this time, the SSRF nature of the vulnerability suggests it is likely to be targeted in the future.
Refer to the FastGPT security advisory for detailed information and updates regarding CVE-2026-34163: [https://github.com/fastgpt/fastgpt/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory URL)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.