cbcvebase.
CVE-2026-34162
published 2026-03-31

CVE-2026-34162: FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed…

PriorityP265critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.42%
33.3th percentile
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5.

Affected

2 ranges
VendorProductVersion rangeFixed in
fastgptfastgpt< 4.14.9.54.14.9.5
labringfastgpt< 4.14.9.54.14.9.5
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.