CVE-2026-26075 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in FastGPT, an AI Agent building platform. This flaw allows attackers to potentially trigger unintended actions on a user's account if they are tricked into visiting a malicious website. The vulnerability affects versions of FastGPT up to and including 4.14.7. A fix is available in version 4.14.7.
The CSRF vulnerability in FastGPT allows an attacker to craft malicious HTTP requests that appear to originate from a legitimate user. If a user is logged into FastGPT and visits a website containing a crafted request, the attacker can potentially execute actions as that user, such as modifying data, creating agents, or performing other administrative tasks. The impact is amplified if the user has elevated privileges within the FastGPT platform. Successful exploitation could lead to unauthorized data manipulation, account takeover, and potentially compromise the integrity of the AI agent building environment.
CVE-2026-26075 was publicly disclosed on 2026-02-12. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. This vulnerability highlights the importance of implementing robust CSRF protection measures in web applications, particularly those handling sensitive data or user accounts.
Organizations and individuals utilizing FastGPT for AI agent development are at risk. Specifically, deployments with shared hosting environments or those lacking robust user awareness training are more vulnerable, as attackers can more easily trick users into executing malicious requests.
• nodejs / server:
grep -r 'http.request' ./node_modules |
grep -i 'url' # Look for potential vulnerable HTTP request handling• generic web:
curl -I https://your-fastgpt-instance.com/ | grep -i 'referer'• generic web:
curl -I https://your-fastgpt-instance.com/ | grep -i 'x-frame-options'disclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-26075 is to upgrade FastGPT to version 4.14.7 or later. This version includes a fix that addresses the underlying CSRF vulnerability. If upgrading immediately is not feasible, consider implementing stricter input validation and output encoding on the server-side to prevent malicious requests from being processed. Additionally, implement CSRF protection mechanisms such as synchronizer tokens or double-submit cookies. Regularly review and update FastGPT's security configuration to ensure best practices are followed.
将 FastGPT 更新到 4.14.7 或更高版本。此版本包含针对 CSRF 漏洞的修复。升级将降低攻击者利用此漏洞的风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-26075 is a Cross-Site Request Forgery (CSRF) vulnerability affecting FastGPT versions up to 4.14.7, allowing attackers to trigger actions as a logged-in user.
You are affected if you are using FastGPT version 4.14.7 or earlier. Upgrade to 4.14.7 to resolve the vulnerability.
Upgrade FastGPT to version 4.14.7. Consider implementing CSRF protection mechanisms if immediate upgrade is not possible.
There are currently no reports of active exploitation, but it's crucial to apply the patch proactively.
Refer to the FastGPT official documentation and release notes for details on the security advisory and patch information.