CVE-2026-34162: FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/
criticalvulnerability
security
Summary
FastGPT, an AI Agent building platform, has a vulnerability in versions before 4.14.9.5 where an HTTP tools testing endpoint (/api/core/app/httpTools/runTool) lacks authentication (missing access controls). This endpoint acts as a proxy that accepts user-supplied requests and makes server-side HTTP calls, potentially allowing unauthorized attackers to make requests on behalf of the FastGPT server.
Solution / Mitigation
Update FastGPT to version 4.14.9.5 or later, which patches this vulnerability.
Vulnerability Details
CVSS Score
10(critical)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
none
Disclosure Date
March 31, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-34162
First tracked: March 31, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 95%