CVE-2026-42344: FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa
Summary
FastGPT versions 4.14.11 and earlier have a DNS rebinding vulnerability (TOCTOU, or Time-of-Check to Time-of-Use, where a check happens at one moment but the actual action uses a different result moments later) in their isInternalAddress() function. The function validates that a hostname resolves to a safe private IP address, but because the actual HTTP request performs a separate DNS lookup afterward, an attacker can change the DNS record between validation and the request, bypassing the security check.
Vulnerability Details
6.3(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
network
high
low
none
May 8, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42344
First tracked: May 9, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 85%