al-ice.ai

FastGPT — SSRF Cluster in AI Agent Platform

AI CVEs by al-ice.ai Editorial

AI relevance: FastGPT is an open-source AI agent building platform — these SSRF flaws let attackers reach internal services through the agent's own workflow execution engine, and the MCP-specific bypass shows how agent tool integrations create new SSRF surfaces.

FastGPT (labring/FastGPT) received four CVEs on May 8, 2026, all relating to SSRF in its agent platform. Three were patched in v4.14.17; one (DNS rebinding) has no public patch at time of writing.

  • CVE-2026-44286 — Unauthenticated SSRF in the fetchData function of the lafModule workflow node. Attacker-supplied URLs are fetched via axios without checking against the internal network blocklist, allowing arbitrary requests to private addresses.
  • CVE-2026-44284 (Medium, CVSS 6.3) — Inconsistent SSRF protection in MCP tool URL handling. Direct MCP preview/run endpoints validate against internal URLs, but MCP tool create/update endpoints do not. An authenticated user with toolset management permissions could persist an internal endpoint like http://localhost:3000/mcp and later trigger the workflow runner to connect to it.
  • CVE-2026-42344 (Medium, CVSS 6.3) — DNS rebinding (TOCTOU) in isInternalAddress(). The function resolves a hostname and checks IPs against private ranges, but the subsequent HTTP call re-resolves DNS separately — the record can change between validation and fetch. No public patch available.
  • CVE-2026-42343 — Additional SSRF-related issue in FastGPT (details limited at disclosure).

Why it matters

  • SSRF in an AI agent platform is particularly dangerous because agents already have legitimate reasons to reach external APIs, databases, and internal services — giving an attacker a stealthy tunnel.
  • The MCP tool URL bypass (CVE-2026-44284) is a textbook example of defense-in-depth failure: one code path validates, another doesn't. In agent platforms with multiple tool integration surfaces, this pattern is likely widespread.
  • DNS rebinding defeats IP-blocklist SSRF mitigations — a common pattern in AI platforms. The fix requires time-of-use validation, not just time-of-check.
  • FastGPT is used for building production agent workflows; compromised deployments could leak credentials, access internal APIs, or exfiltrate data through the agent's own tool calls.

What to do

  • Upgrade FastGPT to v4.14.17 or later.
  • For the unpatched DNS rebinding issue (CVE-2026-42344), pin DNS resolution at time-of-use or route outbound traffic through an egress proxy that enforces policy.
  • Audit any custom MCP tool URLs in your FastGPT instance — look for stored URLs pointing to internal addresses.
  • If building agent platforms: validate URLs at both creation and execution time, use IP allowlists rather than blocklists, and pin DNS resolution to the request phase.

Links