CVE-2026-44286
FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application's internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17.
| CWE | CWE-918 |
| Vendor | labring |
| Product | fastgpt |
| Published | May 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for labring fastgpt
Be the first to know when new unknown vulnerabilities affecting labring fastgpt are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
labring / FastGPT
< 4.14.17