CVE-2026-40100 Overview
CVE-2026-40100 is a Server-Side Request Forgery (SSRF) vulnerability in FastGPT, an AI Agent building platform. Prior to version 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in the isInternalAddress() function only blocks private IPs when CHECK_INTERNAL_IP=true, which is not enabled by default. This security gap allows unauthenticated attackers to perform SSRF attacks against internal network resources.
Critical Impact
Unauthenticated attackers can leverage this SSRF vulnerability to access internal network resources, potentially exposing sensitive data and enabling further lateral movement within the network infrastructure.
Affected Products
- FastGPT versions prior to 4.14.10.3
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-40100 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-40100
Vulnerability Analysis
This Server-Side Request Forgery (SSRF) vulnerability exists in FastGPT's MCP (Model Context Protocol) tools implementation. The vulnerable endpoint /api/core/app/mcpTools/runTool is designed to execute tool operations but fails to properly validate and restrict the URLs it accepts.
The core issue lies in the inadequate default configuration of the isInternalAddress() function. While the function contains logic to check for private/internal IP addresses, this protection is gated behind an environment variable CHECK_INTERNAL_IP that must be explicitly set to true. Since this is not the default behavior, most deployments remain vulnerable to SSRF attacks.
Attackers exploiting this vulnerability can craft requests to the vulnerable endpoint, directing the FastGPT server to make HTTP requests to arbitrary internal or external URLs. This can be leveraged to scan internal networks, access cloud metadata services (such as AWS EC2 metadata at 169.254.169.254), or interact with internal services that are not exposed to the public internet.
Root Cause
The root cause of this vulnerability is insufficient default security controls in the URL validation mechanism. The isInternalAddress() function provides IP address filtering capabilities, but this protection is opt-in rather than opt-out. By not enabling internal IP checking by default, the application exposes organizations to SSRF attacks unless administrators explicitly configure the CHECK_INTERNAL_IP=true environment variable.
Additionally, the /api/core/app/mcpTools/runTool endpoint lacks authentication requirements, allowing any external attacker to exploit this vulnerability without needing valid credentials.
Attack Vector
The attack vector for CVE-2026-40100 is network-based, requiring no authentication and no user interaction. An attacker can send crafted HTTP requests directly to the vulnerable endpoint, specifying arbitrary internal URLs as targets.
The attack flow typically involves:
- An attacker identifies a FastGPT instance with the vulnerable endpoint exposed
- The attacker crafts a request to /api/core/app/mcpTools/runTool with a target URL pointing to an internal resource
- The FastGPT server processes the request and makes an outbound HTTP request to the specified URL
- The server returns the response to the attacker, potentially exposing sensitive internal data
For detailed technical information about this vulnerability, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-40100
Indicators of Compromise
- Unusual outbound HTTP requests from FastGPT servers to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254
- High volume of requests to the /api/core/app/mcpTools/runTool endpoint from external sources
- Access logs showing requests with internal URLs or localhost references in request parameters
Detection Strategies
- Monitor network traffic for outbound connections from FastGPT servers to internal network segments that should not be accessed
- Implement Web Application Firewall (WAF) rules to detect and block SSRF patterns targeting the /api/core/app/mcpTools/runTool endpoint
- Review application logs for unusual URL patterns in the MCP tools endpoint requests
- Deploy network segmentation monitoring to detect unauthorized access attempts to internal services
Monitoring Recommendations
- Enable detailed logging on FastGPT instances to capture all requests to the /api/core/app/mcpTools/runTool endpoint
- Set up alerts for requests containing internal IP addresses, localhost references, or cloud metadata URLs
- Monitor for reconnaissance patterns such as sequential IP scanning through the vulnerable endpoint
- Implement egress filtering and monitoring to detect unauthorized outbound connections
How to Mitigate CVE-2026-40100
Immediate Actions Required
- Upgrade FastGPT to version 4.14.10.3 or later immediately
- Set the environment variable CHECK_INTERNAL_IP=true to enable internal IP address blocking
- Implement authentication requirements for the /api/core/app/mcpTools/runTool endpoint at the network or application layer
- Review access logs for evidence of exploitation attempts
Patch Information
The vulnerability has been fixed in FastGPT version 4.14.10.3. Users should upgrade to this version or later to remediate the vulnerability. For more details, see the GitHub Security Advisory.
Workarounds
- Enable the internal IP check by setting CHECK_INTERNAL_IP=true in the environment configuration
- Use a reverse proxy or WAF to block external access to the /api/core/app/mcpTools/runTool endpoint
- Implement network-level controls to restrict outbound connections from FastGPT servers
- Deploy egress filtering to prevent the server from connecting to internal IP ranges or sensitive endpoints
# Configuration example - Enable internal IP checking
export CHECK_INTERNAL_IP=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
