CVE-2026-44286: FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF
Summary
FastGPT, a platform for building AI agents, has a vulnerability in versions before 4.14.17 that allows attackers to send requests to internal or private network addresses without needing to log in. The problem is in the fetchData function, which retrieves data from user-provided URLs but doesn't properly check them against a blocklist (isInternalAddress) that's meant to prevent SSRF attacks (where a server is tricked into making requests to systems it shouldn't access).
Solution / Mitigation
Update FastGPT to version 4.14.17 or later, where this issue has been patched.
Vulnerability Details
EPSS: 0.0%
May 8, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44286
First tracked: May 9, 2026 at 02:12 AM
Classified by LLM (prompt v3) · confidence: 85%