CVE-2026-44285 Overview
CVE-2026-44285 is a Server-Side Request Forgery (SSRF) vulnerability in FastGPT, an open-source AI Agent building platform developed by Labring. The flaw affects all versions prior to 4.15.0-beta1. An authenticated attacker can bypass the global isInternalAddress network protection and issue arbitrary HTTP GET requests to internal network services. The issue stems from an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when the request uses the externalFile data import type. The vulnerability is tracked as [CWE-918] and is fixed in version 4.15.0-beta1.
Critical Impact
Authenticated attackers can pivot through FastGPT to reach internal-only services, cloud metadata endpoints, and unauthenticated admin interfaces hosted on private network segments.
Affected Products
- FastGPT versions prior to 4.15.0-beta1
- Deployments using the externalFile dataset import type
- Self-hosted FastGPT instances exposing /api/core/dataset/file/getPreviewChunks
Discovery Timeline
- 2026-05-29 - CVE-2026-44285 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-44285
Vulnerability Analysis
FastGPT enforces a global isInternalAddress check intended to block outbound requests targeting RFC1918 ranges, loopback addresses, and link-local metadata endpoints. The dataset preview endpoint /api/core/dataset/file/getPreviewChunks accepts a user-supplied URL when the request body specifies the externalFile data import type. The validation logic does not consistently apply the internal-address filter to this code path, leaving a bypass that authenticated callers can trigger.
Because the server fetches the supplied URL on behalf of the user, the response (or its parsed chunks) is returned to the attacker. This enables reconnaissance and data retrieval against services that trust the FastGPT host's network position. Confidentiality impact is high while integrity and availability are unaffected, consistent with a read-oriented SSRF.
Root Cause
The root cause is an incomplete remediation of a prior SSRF issue. The global URL guard was not propagated into the externalFile branch of the dataset preview handler. As a result, attacker-controlled URLs flow into the server-side HTTP client without re-validation, defeating the centralized defense.
Attack Vector
Exploitation requires a valid authenticated session on the FastGPT instance. The attacker issues a POST request to /api/core/dataset/file/getPreviewChunks with the data import type set to externalFile and a target URL pointing to an internal resource such as http://169.254.169.254/latest/meta-data/, http://127.0.0.1:<port>/, or an internal admin API. The server performs the GET request and returns parsed content to the caller.
No verified public proof-of-concept code is published. See the GitHub Security Advisory GHSA-c65v-7vx6-f8m3 for vendor technical detail.
Detection Methods for CVE-2026-44285
Indicators of Compromise
- Requests to /api/core/dataset/file/getPreviewChunks containing the externalFile import type and a URL targeting RFC1918, loopback, or 169.254.169.254 addresses
- Outbound HTTP GET traffic from the FastGPT application host to internal-only services not part of normal application workflows
- Unusual volumes of dataset preview calls from a single authenticated user account
Detection Strategies
- Inspect application logs for getPreviewChunks calls and correlate the submitted URL parameter against an allowlist of expected external file hosts
- Deploy a forward proxy or egress firewall in front of FastGPT and alert on requests destined for internal CIDRs or cloud metadata IPs
- Add a Web Application Firewall (WAF) rule that blocks requests to the preview endpoint when the body references internal IP literals or hostnames resolving to private ranges
Monitoring Recommendations
- Capture and retain full request bodies for the dataset preview endpoint to enable retrospective hunting
- Monitor for authenticated API tokens that suddenly begin making dataset preview calls at scale
- Alert on any FastGPT process connection to cloud metadata services (169.254.169.254, metadata.google.internal)
How to Mitigate CVE-2026-44285
Immediate Actions Required
- Upgrade FastGPT to version 4.15.0-beta1 or later, which contains the complete SSRF fix
- Restrict access to FastGPT administrative and dataset APIs to trusted user accounts only
- Place FastGPT behind an egress filter that denies outbound traffic to internal CIDRs and cloud metadata endpoints
Patch Information
Labring released the fix in FastGPT 4.15.0-beta1. The patch extends the isInternalAddress validation to the externalFile branch of the /api/core/dataset/file/getPreviewChunks handler so that user-supplied URLs are rejected when they resolve to internal addresses. Refer to the GitHub Security Advisory GHSA-c65v-7vx6-f8m3 for upgrade guidance.
Workarounds
- Block or proxy the /api/core/dataset/file/getPreviewChunks endpoint at the reverse proxy until the upgrade is applied
- Enforce strict egress network policies on the FastGPT host that deny connections to RFC1918, loopback, and 169.254.0.0/16 ranges
- Disable the externalFile data import path in deployments where it is not required
# Example NGINX egress restriction for the vulnerable endpoint
location = /api/core/dataset/file/getPreviewChunks {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
