CVE-2026-42345: FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa
Summary
FastGPT, an AI platform for building AI agents, has a vulnerability in versions 4.14.11 and earlier where its isInternalAddress() function fails to block access to cloud metadata endpoints (services that store sensitive system information). Attackers can bypass the blocklist using URL encoding techniques (methods to disguise URLs), and because a security check is disabled by default, the metadata endpoint remains accessible without additional protection.
Vulnerability Details
7.7(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
network
low
low
none
May 8, 2026
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42345
First tracked: May 9, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 92%