CVE-2026-40100: FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitr
Summary
FastGPT, an AI Agent building platform, has a vulnerability in versions before 4.14.10.3 where an endpoint accepts URLs without proper authentication checks, allowing unauthenticated attackers to perform SSRF (server-side request forgery, where an attacker tricks the server into making requests to internal network resources) attacks against internal systems. The vulnerability exists because the internal IP check is disabled by default.
Solution / Mitigation
Update FastGPT to version 4.14.10.3 or later, where this vulnerability is fixed.
Vulnerability Details
5.3(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
network
low
none
none
April 10, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-40100
First tracked: April 10, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%