Labring Fastgpt
22 CVEs affecting Labring Fastgpt. Latest disclosed: 2026-05-29. Critical: 3, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-34162 | Critical | 10.0 | 2026-03-31 | FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed witho… |
CVE-2026-42302 | Critical | 9.8 | 2026-05-08 | FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticat… |
CVE-2026-40351 | Critical | 9.8 | 2026-04-17 | FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime valid… |
CVE-2026-40352 | High | 8.8 | 2026-04-17 | FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attack… |
CVE-2026-44285 | High | 7.7 | 2026-05-29 | FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass… |
CVE-2026-42345 | High | 7.7 | 2026-05-08 | FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts bloc… |
CVE-2026-34163 | High | 7.7 | 2026-03-31 | FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools an… |
CVE-2026-44287 | Medium | 6.3 | 2026-05-29 | FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic i… |
CVE-2026-44284 | Medium | 6.3 | 2026-05-08 | FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP pr… |
CVE-2026-42344 | Medium | 6.3 | 2026-05-08 | FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is v… |
CVE-2026-32128 | Medium | 6.3 | 2026-03-11 | FastGPT is an AI Agent building platform. In 4.14.7 and earlier, FastGPT's Python Sandbox (fastgpt-sandbox) includes guardrails intended to prevent file writes… |
CVE-2025-49131 | Medium | 6.3 | 2025-06-09 | FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox co… |
CVE-2026-40100 | Medium | 5.3 | 2026-04-10 | FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The in… |
CVE-2026-44286 | | 2026-05-08 | FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or au… | |
CVE-2026-42343 | | 2026-05-08 | FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontroll… | |
CVE-2026-40252 | | 2026-04-10 | FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execu… | |
CVE-2026-33075 | | 2026-03-20 | FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and… | |
CVE-2026-26075 | | 2026-02-12 | FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition request… | |
CVE-2026-26003 | | 2026-02-10 | FastGPT is an AI Agent building platform. From 4.14.0 to 4.14.5, attackers can directly access the plugin system through FastGPT/api/plugin/xxx without authent… | |
CVE-2025-62612 | | 2025-10-22 | FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk… |