CVE-2026-44286 Overview
CVE-2026-44286 is a Server-Side Request Forgery (SSRF) vulnerability in FastGPT, an AI Agent building platform. Versions prior to 4.14.17 expose the fetchData function in the lafModule workflow node to attacker-controlled URLs. The function uses axios to fetch remote resources without validating destinations against the internal network blocklist guard isInternalAddress. Unauthenticated attackers, or authenticated users with App editing privileges, can issue arbitrary HTTP requests to internal and private network addresses. The maintainers patched the issue in version 4.14.17.
Critical Impact
Attackers can probe internal services, cloud metadata endpoints, and private network resources by bypassing the application's SSRF blocklist.
Affected Products
- FastGPT versions prior to 4.14.17
- FastGPT lafModule workflow node component
- Deployments exposing the FastGPT workflow execution API
Discovery Timeline
- 2026-05-08 - CVE-2026-44286 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-44286
Vulnerability Analysis
The vulnerability is classified as Server-Side Request Forgery [CWE-918]. FastGPT exposes a workflow node named lafModule that allows operators to integrate external HTTP endpoints into AI agent workflows. Inside this node, the fetchData function accepts a URL parameter and forwards it to the axios HTTP client.
FastGPT ships a centralized SSRF guard, isInternalAddress, that maintains a blocklist of internal and private IP ranges. Other request paths route through this guard before dispatching outbound traffic. The fetchData function does not call isInternalAddress, so requests skip the blocklist check entirely.
The EPSS score is 0.043% with a percentile of 13.293, reflecting low observed exploitation activity. The impact remains relevant for deployments that expose FastGPT to untrusted users or that run in cloud environments with instance metadata services reachable from the application host.
Root Cause
The root cause is missing input validation on the URL passed to axios inside fetchData. The function trusts user-supplied workflow configuration and does not enforce the application's documented SSRF policy. Centralized protections exist elsewhere in the codebase but were not applied to this code path.
Attack Vector
An attacker creates or edits a workflow that includes a lafModule node configured with a URL targeting an internal resource. Examples include http://127.0.0.1, http://169.254.169.254/latest/meta-data/ for cloud instance metadata, or RFC1918 addresses such as http://10.0.0.1. When the workflow executes, FastGPT issues the request from the server, returning response data to the attacker. The advisory indicates the issue is reachable by unauthenticated attackers in some configurations and by any authenticated user with App editing privileges.
No public proof-of-concept code has been published. Refer to the GitHub Security Advisory GHSA-xpx6-xcpf-76qg for vendor details.
Detection Methods for CVE-2026-44286
Indicators of Compromise
- Outbound HTTP requests from the FastGPT process to RFC1918 addresses, 127.0.0.0/8, or 169.254.169.254
- Workflow definitions containing lafModule nodes with URLs pointing to internal hostnames or private IP ranges
- Unexpected access patterns to cloud instance metadata endpoints originating from FastGPT hosts
Detection Strategies
- Inspect FastGPT workflow configurations for lafModule nodes referencing private IPs, loopback addresses, or cloud metadata URLs
- Enable application-level logging for outbound axios requests and correlate with workflow execution IDs
- Deploy egress filtering at the network edge and alert on FastGPT-originated traffic destined for internal subnets
Monitoring Recommendations
- Forward FastGPT application and proxy logs to a centralized analytics platform and search for anomalous internal destinations
- Monitor cloud audit logs for instance metadata access from application workloads that should not require it
- Track workflow creation and edit events to identify accounts modifying lafModule configurations
How to Mitigate CVE-2026-44286
Immediate Actions Required
- Upgrade FastGPT to version 4.14.17 or later using the FastGPT v4.14.17 release notes
- Restrict App editing privileges to trusted users until the upgrade is complete
- Block FastGPT egress traffic to internal address ranges and cloud metadata endpoints at the network layer
Patch Information
The maintainers released the fix in FastGPT 4.14.17. The patch applies the isInternalAddress blocklist guard to the fetchData function in the lafModule workflow node, rejecting URLs that resolve to private or loopback ranges before the request is dispatched.
Workarounds
- Place FastGPT behind an egress proxy that denies traffic to RFC1918 ranges, loopback, and link-local addresses including 169.254.169.254
- Run FastGPT in a network segment without routes to sensitive internal services or metadata APIs
- Disable the lafModule workflow node in deployments that do not require external HTTP integrations
# Example egress restriction using iptables to block cloud metadata access
iptables -A OUTPUT -m owner --uid-owner fastgpt -d 169.254.169.254 -j DROP
iptables -A OUTPUT -m owner --uid-owner fastgpt -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner fastgpt -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner fastgpt -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
