CVE-2026-34162

FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint /api/core/app/httpTools/runTool is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers,...

CVE-2026-34162

Product: FastGPTVulnerability: Unauthenticated SSRF via the /api/core/app/httpTools/runTool endpointImpact: Potential internal API key theft; full server-side HTTP proxy behavior exposes response dataAffected versions: before 4.14.9.5Fix/mitigation: Upgrade to 4.14.9.5 (patched)CVSSv3.1: 10.0 (CR...