Home / Vulnerability Intelligence / CVE-2026-34163

CVE-2026-34163 - Vulnerability Analysis

HighCVSS: 7.7

Last Updated: April 1, 2026

FastGPT - Server Side Request Forgery

Published: March 31, 2026Updated: April 1, 2026PoC AvailableRemote Exploitable

Overview

FastGPT < 4.14.9.5 contains a server side request forgery caused by lack of internal address validation in MCP tools endpoints, letting authenticated attackers scan internal networks and access internal services.

Severity & Score

Severity: High

CVSS Score: 7.7

EPSS Score: 2.8%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can scan internal networks and access sensitive internal services, potentially leading to data exposure or further compromise.

Mitigation

Upgrade to version 4.14.9.5 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 31, 2026

🟠 CVE-2026-34163 - High (7.7) FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-s... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34163/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-34163
Severity: High
CVSS Score: 7.7
Type: server_side_request_forgery
Status: confirmed
EPSS: 2.8%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score

2.8%Probability of exploitation in the next 30 days