VYPR
Low severityNVD Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-44286

CVE-2026-44286

Description

FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application's internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Labring/Fastgptinferred2 versions
    <4.14.17+ 1 more
    • (no CPE)range: <4.14.17
    • (no CPE)range: <4.14.17

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.