VYPR
← All advisories
High severity7.7NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-44285

CVE-2026-44285

Description

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FastGPT before 4.15.0-beta1 has an SSRF vulnerability in the dataset preview API that lets authenticated attackers bypass internal network restrictions and probe internal services.

Vulnerability

The vulnerability is a Server-Side Request Forgery (SSRF) in FastGPT versions prior to 4.15.0-beta1. The /api/core/dataset/file/getPreviewChunks endpoint, when handling externalFile type imports, calls readFileRawTextByUrl without performing the isInternalAddress check that is used elsewhere. This allows an attacker to specify arbitrary URLs, including internal IPs like http://172.20.0.1 or cloud metadata endpoints like http://169.254.169.254, and receive the response contents as preview chunks [1].

Exploitation

An authenticated attacker needs only a valid API token or session. They send a POST request to /api/core/dataset/file/getPreviewChunks with type: "externalFile" and a url parameter pointing to an internal service. The application fetches the URL and returns the text content as chunks, effectively reflecting the internal response back to the attacker [1].

Impact

Successful exploitation allows the attacker to read arbitrary internal HTTP services, including cloud metadata endpoints (e.g., AWS, GCP), internal dashboards, or any other HTTP-accessible service. This can lead to credential disclosure, infrastructure mapping, and further lateral movement. The attacker gains the ability to probe and exfiltrate data from internal networks that should be unreachable from the internet [1].

Mitigation

The vulnerability is fixed in FastGPT version 4.15.0-beta1. Users should upgrade to this version or later. No workarounds are documented; if upgrade is not immediately possible, consider restricting access to the /api/core/dataset/file/getPreviewChunks endpoint via network policies or disabling the externalFile dataset import feature [1].

References
  1. SSRF Protection Bypass via `externalFile` in Dataset Preview API

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Labring/Fastgptinferred2 versions
    < 4.15.0-beta1+ 1 more
    • (no CPE)range: < 4.15.0-beta1
    • (no CPE)range: <4.15.0-beta1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing isInternalAddress validation in readFileRawTextByUrl allows arbitrary internal HTTP GET requests."

Attack vector

An authenticated attacker sends a POST request to `/api/core/dataset/file/getPreviewChunks` with `type: "externalFile"` and a `sourceId` pointing to an internal IP (e.g. `http://172.20.0.1:9999/secret_target.txt`). The server fetches that URL via `readFileRawTextByUrl` without checking `isInternalAddress`, and returns the response content as parsed text chunks. This allows probing internal services and reading cloud metadata endpoints such as `http://169.254.169.254/`. [CWE-918] [ref_id=1]

Affected code

The vulnerability resides in `packages/service/core/dataset/read.ts` in the `readFileRawTextByUrl` function, which makes an axios GET request to a user-supplied URL without calling the `isInternalAddress` helper. The call chain is triggered from the dataset preview endpoint `/api/core/dataset/file/getPreviewChunks` when `type: "externalFile"` is used, routing the `sourceId` parameter directly into the vulnerable function.

What the fix does

The advisory states the fix is in version 4.15.0-beta1 but does not include a patch diff. The remediation would require adding an `isInternalAddress` check on the `url` parameter inside `readFileRawTextByUrl` before the axios call, consistent with the protection already applied to other data ingestion paths like `urlsFetch` and HTTP tool API executions. [ref_id=1]

Preconditions

  • authValid API token or active cookie session
  • inputA valid datasetId
  • inputThe target URL must end with a text file extension (e.g. .txt) to pass filename parsing

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.