How is CVE-2026-44285 exploited?

Network reachability (required): The attacker must reach the FastGPT API over the network (AV:N), so any instance exposed to users or the internet is in scope. Authentication (required): A low-privilege FastGPT account is sufficient (PR:L); no admin role is needed to call the dataset preview endpoint. Victim interaction (not-required): No user has to click or open anything (UI:N); the attacker drives the request directly against the API. Attack complexity (info): AC:L indicates the exploit is reliable and free of race conditions or environmental prerequisites once the attacker has credentials.

What is the impact of CVE-2026-44285?

Reads responses from internal-only HTTP services that the FastGPT server can reach, such as cloud metadata endpoints, admin consoles, and unauthenticated internal APIs. Enumerates internal network topology by probing hosts and ports through the server's outbound HTTP GET path. Discloses sensitive data returned by those internal endpoints (C:H), including tokens or configuration exposed by metadata services; integrity and availability of FastGPT itself are not directly affected (I:N/A:N).

Back to search

HIGHCVE-2026-44285Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-44285: FastGPT: SSRF Protection Bypass via `externalFile` in Dataset Preview API

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Server-Side Request Forgery (SSRF) in FastGPT, an AI agent building platform, lets an authenticated user bypass the platform's internal-address protection by abusing the externalFile data import path in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks. The bug is reachable over the network and requires only a low-privilege account, with no victim interaction, and lets the attacker coerce the server into making arbitrary HTTP GET requests to internal services and reading their responses. A patched-image rebuild at 4.15.0-beta1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE record is ingested from upstream feeds within minutes of publication and matched against FastGPT images in customer registries and pipelines, including custom-built images that bundle labring/FastGPT below 4.15.0-beta1.

Available

Triage

Triage is available with the published CVSS v3.1 score of 7.7 (High) layered against each customer's compliance policy, so an internet-exposed FastGPT instance can be weighted differently from an isolated internal one. Findings are routed to the appropriate inbox inside each customer organization based on image ownership and workload tags.

Available

Patch

A patched-image rebuild at FastGPT 4.15.0-beta1 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is produced, run through regression tests, and a pull request is opened against the affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the FastGPT API over the network (AV:N), so any instance exposed to users or the internet is in scope.
AuthenticationRequired
A low-privilege FastGPT account is sufficient (PR:L); no admin role is needed to call the dataset preview endpoint.
Victim interactionNot required
No user has to click or open anything (UI:N); the attacker drives the request directly against the API.
Attack complexityDetail
AC:L indicates the exploit is reliable and free of race conditions or environmental prerequisites once the attacker has credentials.

Blast Radius

Reads responses from internal-only HTTP services that the FastGPT server can reach, such as cloud metadata endpoints, admin consoles, and unauthenticated internal APIs.
Enumerates internal network topology by probing hosts and ports through the server's outbound HTTP GET path.
Discloses sensitive data returned by those internal endpoints (C:H), including tokens or configuration exposed by metadata services; integrity and availability of FastGPT itself are not directly affected (I:N/A:N).

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at FastGPT 4.15.0-beta1 is published for affected environments, and for customers who opt into auto-remediation the rebuild is regression-tested and proposed via a pull request against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation environments. Where compliance policy blocks automatic upgrades, HarborGuard surfaces the finding with suggested compensating controls such as restricting FastGPT egress to known dataset hosts, blocking access to cloud metadata IPs, and tightening account provisioning so untrusted users cannot reach the dataset preview API.

See how HarborGuard automates this

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

labring / FastGPT
< 4.15.0-beta1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3