Plataforma
nodejs
Componente
fastgpt
Corrigido em
4.14.8
CVE-2026-26075 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in FastGPT, an AI Agent building platform. This flaw allows attackers to potentially trigger unintended actions on a user's account if they are tricked into visiting a malicious website. The vulnerability affects versions of FastGPT up to and including 4.14.7. A fix is available in version 4.14.7.
The CSRF vulnerability in FastGPT allows an attacker to craft malicious HTTP requests that appear to originate from a legitimate user. If a user is logged into FastGPT and visits a website containing a crafted request, the attacker can potentially execute actions as that user, such as modifying data, creating agents, or performing other administrative tasks. The impact is amplified if the user has elevated privileges within the FastGPT platform. Successful exploitation could lead to unauthorized data manipulation, account takeover, and potentially compromise the integrity of the AI agent building environment.
CVE-2026-26075 was publicly disclosed on 2026-02-12. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. This vulnerability highlights the importance of implementing robust CSRF protection measures in web applications, particularly those handling sensitive data or user accounts.
Organizations and individuals utilizing FastGPT for AI agent development are at risk. Specifically, deployments with shared hosting environments or those lacking robust user awareness training are more vulnerable, as attackers can more easily trick users into executing malicious requests.
• nodejs / server:
grep -r 'http.request' ./node_modules |
grep -i 'url' # Look for potential vulnerable HTTP request handling• generic web:
curl -I https://your-fastgpt-instance.com/ | grep -i 'referer'• generic web:
curl -I https://your-fastgpt-instance.com/ | grep -i 'x-frame-options'disclosure
Status do Exploit
EPSS
0.02% (percentil 4%)
CISA SSVC
The primary mitigation for CVE-2026-26075 is to upgrade FastGPT to version 4.14.7 or later. This version includes a fix that addresses the underlying CSRF vulnerability. If upgrading immediately is not feasible, consider implementing stricter input validation and output encoding on the server-side to prevent malicious requests from being processed. Additionally, implement CSRF protection mechanisms such as synchronizer tokens or double-submit cookies. Regularly review and update FastGPT's security configuration to ensure best practices are followed.
Atualize o FastGPT para a versão 4.14.7 ou superior. Esta versão contém uma correção para a vulnerabilidade CSRF. A atualização mitigará o risco de um atacante explorar esta vulnerabilidade.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-26075 is a Cross-Site Request Forgery (CSRF) vulnerability affecting FastGPT versions up to 4.14.7, allowing attackers to trigger actions as a logged-in user.
You are affected if you are using FastGPT version 4.14.7 or earlier. Upgrade to 4.14.7 to resolve the vulnerability.
Upgrade FastGPT to version 4.14.7. Consider implementing CSRF protection mechanisms if immediate upgrade is not possible.
There are currently no reports of active exploitation, but it's crucial to apply the patch proactively.
Refer to the FastGPT official documentation and release notes for details on the security advisory and patch information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.