CVE-2026-44285: FastGPT SSRF Vulnerability in Dataset Preview Endpoint
FastGPT, an AI Agent building platform, contains a Server-Side Request Forgery (SSRF) vulnerability in versions before 4.15.0-beta1. An authenticated user can bypass the platform's internal network protection and send HTTP requests to services on the internal network that should be inaccessible. The flaw exists in the dataset preview feature when using the externalFile import type. This allows an attacker with valid credentials to potentially access sensitive internal services, databases, or administrative endpoints that are normally restricted from external access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the /api/core/dataset/file/getPreviewChunks endpoint and stems from an incomplete implementation of the isInternalAddress network protection mechanism. When an authenticated user requests a file preview through the externalFile data import type, the endpoint fails to properly validate that target URLs do not point to internal network addresses. An attacker can craft requests that circumvent the protection, enabling arbitrary HTTP GET requests to internal services such as metadata services, internal APIs, or other network-accessible resources. The fix in version 4.15.0-beta1 addresses this bypass by implementing more robust URL validation logic.
Business impact
This vulnerability enables credential-holding insiders or compromised legitimate accounts to conduct reconnaissance and exfiltration attacks against internal infrastructure without triggering typical external network monitoring. An attacker could enumerate internal services, extract configuration data, access administrative dashboards, or retrieve sensitive information from databases exposed on the internal network. For organizations running FastGPT in environments with sensitive internal services, this represents a material data confidentiality risk and could facilitate lateral movement attacks within the network.
Affected systems
FastGPT versions prior to 4.15.0-beta1 are affected. Organizations running any release in the 4.14.x branch, 4.13.x branch, or earlier are at risk. The vulnerability requires authentication, so only users with valid FastGPT credentials can exploit it. Systems with FastGPT deployed in network segments containing sensitive internal services or databases are at highest risk.
Exploitability
Exploitability is moderate-to-high because the attack requires valid authentication credentials but no additional user interaction. An attacker with a compromised or rogue account, or an insider with legitimate access, can immediately begin probing internal networks. The attack surface is straightforward: any authenticated user can craft requests to the vulnerable endpoint. However, actual impact depends on what internal services are present and accessible from the FastGPT deployment's network segment. The simplicity of exploitation (crafting HTTP GET requests) lowers the technical barrier.
Remediation
Upgrade FastGPT to version 4.15.0-beta1 or later to apply the complete fix for the isInternalAddress validation bypass. Organizations unable to upgrade immediately should implement network-level mitigations: isolate FastGPT instances to restricted network segments, apply firewall rules to prevent outbound connections to internal service ranges, and restrict FastGPT user account creation to trusted administrators only. Monitor authentication logs for unusual activity and review access controls on internal services that might be reachable from FastGPT.
Patch guidance
Apply version 4.15.0-beta1 or any subsequent stable release as soon as feasible. Verify the patch against the vendor advisory to confirm the version installed includes the corrected isInternalAddress validation logic. Beta versions should be tested in a staging environment before production deployment. If production deployment of a beta is necessary, combine it with compensating network controls until a stable release is available.
Detection guidance
Monitor FastGPT access logs for requests to /api/core/dataset/file/getPreviewChunks with externalFile parameters pointing to internal IP ranges (RFC 1918 addresses, link-local addresses, or local loopback). Correlate unusual preview requests with internal network traffic captures to identify outbound connections from FastGPT to unexpected internal services. Network IDS/IPS signatures should flag HTTP requests originating from FastGPT systems to internal service ports that should not be accessed. Review authentication logs for brute-force or unauthorized account creation attempts preceding such requests.
Why prioritize this
This vulnerability merits high priority despite being confined to authenticated users because (1) it bypasses network security controls, (2) it provides direct access to internal infrastructure confidentiality, (3) insider or account-compromise scenarios are common, and (4) the fix is available. Organizations with sensitive internal services adjacent to FastGPT deployments should prioritize patching within 2-4 weeks. Those in higher-trust environments or with strong network segmentation may extend timelines slightly, but should not defer indefinitely.
Risk score, explained
The CVSS 3.1 score of 7.7 (HIGH) reflects: Attack Vector Network (AV:N) because the endpoint is web-accessible; Access Complexity Low (AC:L) indicating straightforward exploitation; Privileges Required (PR:L) acknowledging the authentication prerequisite; User Interaction None (UI:N) as no social engineering is needed; Scope Changed (S:C) because the attacker can access services outside the FastGPT application boundary; Confidentiality High (C:H) as internal service data is exposed; Integrity None (I:N) and Availability None (A:N) as this is read-only SSRF. The score appropriately captures the confidentiality risk while reflecting that pre-authentication and the read-only nature prevent maximum severity ratings.
Frequently asked questions
Do I need valid FastGPT credentials to exploit this?
Yes. The vulnerability requires authentication to the FastGPT platform. However, this does not eliminate risk—compromised user accounts, insider threats, or overly permissive credential sharing can provide attackers with the necessary access to exploit it.
What internal services are typically at risk?
Any internal HTTP service reachable from the FastGPT server's network segment is potentially at risk, including metadata services (AWS EC2 metadata, GCP metadata), internal dashboards, database admin interfaces, Kubernetes API servers, internal APIs, and configuration management systems. The actual risk depends on your specific network architecture and what services are deployed alongside FastGPT.
Is there a workaround if I cannot patch immediately?
Partial mitigations include network isolation of FastGPT, outbound firewall rules blocking connections to internal IP ranges, restricting FastGPT user account creation to trusted administrators, and disabling the externalFile data import type if not essential. However, these are compensating controls—they do not eliminate the vulnerability. Patching is the definitive remediation.
Does this vulnerability allow an attacker to modify or delete internal services?
No. This SSRF vulnerability permits only HTTP GET requests for reconnaissance and information retrieval. It does not provide write access, so modification, deletion, or availability disruption of internal services is not possible through this vector alone. However, reconnaissance data can enable follow-up attacks.
This analysis is based on the CVE record and vendor advisory as of the publication date. Security landscapes evolve; verify all technical details, patch availability, and version numbers against the official FastGPT security advisory and documentation before taking action. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of the last update. SEC.co provides this information for informational purposes; organizations must conduct their own risk assessment based on their specific deployment, network architecture, and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10068HIGHSSRF in Shibby Tomato 1.28 miniupnpd (Unmaintained)
- CVE-2026-10107HIGHMoviePilot v2 SSRF in Image Proxy Allows Internal Network Access
- CVE-2026-10280HIGHServer-Side Request Forgery in Horizon921 mcpilot 0.1.0
- CVE-2026-10287HIGHSSRF in SourceCodester SEO Meta Tag Extractor 1.0
- CVE-2026-10771HIGHCRMEB Java SSRF Vulnerability in QR Code Endpoint
- CVE-2026-42398HIGHKibana Webhook SSRF Vulnerability—Egress Allowlist Bypass
- CVE-2026-42965HIGHOpenShift Router SSRF via FQDN EndpointSlice
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk