MEDIUMCVE-2026-26075

CVE-2026-26075: CSRF in FastGPT AI Agent Platform

Q: Am I affected by CVE-2026-26075 in FastGPT?

You are affected if you are using FastGPT version 4.14.7 or earlier. Upgrade to 4.14.7 to resolve the vulnerability.

Q: How do I fix CVE-2026-26075 in FastGPT?

Upgrade FastGPT to version 4.14.7. Consider implementing CSRF protection mechanisms if immediate upgrade is not possible.

Q: Is CVE-2026-26075 being actively exploited?

There are currently no reports of active exploitation, but it's crucial to apply the patch proactively.

Q: Where can I find the official FastGPT advisory for CVE-2026-26075?

Refer to the FastGPT official documentation and release notes for details on the security advisory and patch information.

Platform

nodejs

Component

fastgpt

Fixed in

4.14.8

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-26075 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in FastGPT, an AI Agent building platform. This flaw allows attackers to potentially trigger unintended actions on a user's account if they are tricked into visiting a malicious website. The vulnerability affects versions of FastGPT up to and including 4.14.7. A fix is available in version 4.14.7.

Impact and Attack Scenarios

The CSRF vulnerability in FastGPT allows an attacker to craft malicious HTTP requests that appear to originate from a legitimate user. If a user is logged into FastGPT and visits a website containing a crafted request, the attacker can potentially execute actions as that user, such as modifying data, creating agents, or performing other administrative tasks. The impact is amplified if the user has elevated privileges within the FastGPT platform. Successful exploitation could lead to unauthorized data manipulation, account takeover, and potentially compromise the integrity of the AI agent building environment.

Exploitation Context

CVE-2026-26075 was publicly disclosed on 2026-02-12. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. This vulnerability highlights the importance of implementing robust CSRF protection measures in web applications, particularly those handling sensitive data or user accounts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

Affected Software

Componentfastgpt

Vendorlabring

Affected rangeFixed in

< 4.14.7 – < 4.14.74.14.8

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2026-02-10
Published2026-02-12
Modified2026-02-13
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-26075 is to upgrade FastGPT to version 4.14.7 or later. This version includes a fix that addresses the underlying CSRF vulnerability. If upgrading immediately is not feasible, consider implementing stricter input validation and output encoding on the server-side to prevent malicious requests from being processed. Additionally, implement CSRF protection mechanisms such as synchronizer tokens or double-submit cookies. Regularly review and update FastGPT's security configuration to ensure best practices are followed.

How to fix

Update FastGPT to version 4.14.7 or higher. This version contains a fix for the CSRF vulnerability. The update will mitigate the risk of an attacker exploiting this vulnerability.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-26075 — CSRF in FastGPT?

CVE-2026-26075 is a Cross-Site Request Forgery (CSRF) vulnerability affecting FastGPT versions up to 4.14.7, allowing attackers to trigger actions as a logged-in user.

Am I affected by CVE-2026-26075 in FastGPT?