Open Redirect in Labring Fastgpt

CVE-2026-26003

FastGPT is an AI Agent building platform. From 4.14.0 to 4.14.5, attackers can directly access the plugin system through FastGPT/api/plugin/xxx without authentication, thereby threatening the plugin system. This may cause the plugin system…

Vulnerability class: Open Redirect

EPSS: 0.001 (27.2th percentile) — read the EPSS interpretation.

Affected products

Labring Fastgpt — versions >= 4.14.0, < 4.14.5-fix

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/labring/FastGPT/security/advisories/GHSA-wcrg-g824-9gfg (x_refsource_CONFIRM)
https://github.com/labring/FastGPT/commit/0beb52a2f3dc4067aab011cc98122d1352823b0c (x_refsource_MISC)
https://github.com/labring/FastGPT/releases/tag/v4.14.5-fix (x_refsource_MISC)