CVE-2026-34163 Overview
CVE-2026-34163 is a Server-Side Request Forgery (SSRF) vulnerability affecting FastGPT, an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's Model Context Protocol (MCP) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept user-supplied URL parameters and make server-side HTTP requests without validating whether the URL points to internal or private network addresses.
The vulnerability arises from an inconsistency in security controls: while FastGPT implements a dedicated isInternalAddress() function for SSRF protection in other endpoints (such as the HTTP workflow node), the MCP tools endpoints fail to invoke this protective function. This allows authenticated attackers to abuse these endpoints for internal network reconnaissance, cloud metadata service access, and interaction with internal services.
Critical Impact
Authenticated attackers can exploit this SSRF vulnerability to scan internal networks, access cloud metadata services (such as AWS IMDSv1), and interact with internal services including MongoDB and Redis, potentially exposing sensitive credentials and internal infrastructure details.
Affected Products
- FastGPT versions prior to 4.14.9.5
- FastGPT MCP Tools API endpoints (/api/core/app/mcpTools/getTools)
- FastGPT MCP Tools API endpoints (/api/core/app/mcpTools/runTool)
Discovery Timeline
- 2026-03-31 - CVE-2026-34163 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34163
Vulnerability Analysis
This SSRF vulnerability (CWE-918) exists due to missing input validation on URL parameters in the MCP tools endpoints. The vulnerability is particularly notable because the codebase already contains protective measures for SSRF in other areas of the application—the isInternalAddress() function exists and is actively used to validate URLs in the HTTP workflow node. However, this same protection was not applied to the MCP tools endpoints, creating an exploitable inconsistency.
The attack requires authentication, meaning an attacker must have valid credentials to access the vulnerable endpoints. Once authenticated, the attacker can supply arbitrary URLs that the server will fetch, effectively turning the FastGPT server into a proxy for accessing internal resources that would otherwise be unreachable from external networks.
Root Cause
The root cause is the failure to apply consistent SSRF protections across all endpoints that process user-supplied URLs. The MCP tools endpoints (getTools and runTool) were implemented without calling the existing isInternalAddress() validation function, despite this protection being available and used elsewhere in the codebase. This represents a defense-in-depth failure where security controls were not uniformly applied during development.
Attack Vector
An authenticated attacker can exploit this vulnerability via network-based requests to the MCP tools API endpoints. The attack flow involves:
- Authenticating to the FastGPT application with valid credentials
- Sending requests to /api/core/app/mcpTools/getTools or /api/core/app/mcpTools/runTool with malicious URL parameters
- Targeting internal addresses such as http://169.254.169.254/latest/meta-data/ (AWS metadata), http://localhost:27017 (MongoDB), or http://127.0.0.1:6379 (Redis)
- Receiving the server-side response, which may contain sensitive internal data
The security patch adds the missing isInternalAddress() check to the MCP tools endpoints:
import {
type GetMcpToolsBodyType,
type GetMcpToolsResponseType
} from '@fastgpt/global/openapi/core/app/mcpTools/api';
import { isInternalAddress, PRIVATE_URL_TEXT } from '@fastgpt/service/common/system/utils';
async function handler(
req: ApiRequestProps<GetMcpToolsBodyType>,
_res: ApiResponseType<any>
): Promise<GetMcpToolsResponseType> {
const { url, headerSecret } = GetMcpToolsBodySchema.parse(req.body);
if (await isInternalAddress(url)) {
return Promise.reject(PRIVATE_URL_TEXT);
}
const mcpClient = new MCPClient({
url,
headers: getSecretValue({
Source: GitHub Commit bc7eae2e
Detection Methods for CVE-2026-34163
Indicators of Compromise
- Unusual outbound requests from the FastGPT server to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- HTTP requests to cloud metadata endpoints (169.254.169.254) originating from the FastGPT application
- Unexpected connections to internal services such as MongoDB (port 27017) or Redis (port 6379) from the web application
- Anomalous API calls to /api/core/app/mcpTools/getTools or /api/core/app/mcpTools/runTool with internal or localhost URLs
Detection Strategies
- Monitor web application logs for requests to MCP tools endpoints containing internal IP addresses or localhost references
- Implement network segmentation monitoring to detect unauthorized lateral movement attempts from web application servers
- Deploy web application firewall (WAF) rules to inspect URL parameters in API requests for SSRF patterns
- Enable cloud metadata service logging (IMDSv2 enforcement) to detect unauthorized metadata access attempts
Monitoring Recommendations
- Configure alerts for outbound connections from FastGPT servers to RFC 1918 private address ranges
- Implement DNS query logging to detect resolution attempts for internal hostnames from web application servers
- Monitor authentication logs for accounts making high volumes of MCP tools API requests
- Set up anomaly detection for unusual response sizes or timing patterns from the MCP tools endpoints
How to Mitigate CVE-2026-34163
Immediate Actions Required
- Upgrade FastGPT to version 4.14.9.5 or later immediately
- Audit access logs for any historical exploitation attempts against the MCP tools endpoints
- Review any accounts that have accessed /api/core/app/mcpTools/getTools or /api/core/app/mcpTools/runTool endpoints
- Rotate credentials for internal services (MongoDB, Redis) if exploitation is suspected
Patch Information
FastGPT has released version 4.14.9.5 which addresses this vulnerability by adding the isInternalAddress() validation check to the MCP tools endpoints. The fix is available through:
Workarounds
- If immediate patching is not possible, implement network-level restrictions to prevent the FastGPT server from making outbound connections to internal services
- Deploy a reverse proxy or WAF rule to block requests to MCP tools endpoints containing internal IP addresses or metadata service URLs
- Restrict access to the MCP tools API endpoints to only trusted administrative users until the patch can be applied
- Enable IMDSv2 with hop limit of 1 on cloud instances to mitigate metadata service access
# Example: Block internal IP ranges at the network level (iptables)
# Apply on FastGPT server to prevent SSRF to internal services
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
