CVE-2026-44285 | THREATINT

Description

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-29 | Updated 2026-06-01 | Assigner GitHub_M

HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 4.15.0-beta1

affected

References

github.com/...astGPT/security/advisories/GHSA-c65v-7vx6-f8m3 exploit

github.com/...astGPT/security/advisories/GHSA-c65v-7vx6-f8m3

cve.org (CVE-2026-44285)

nvd.nist.gov (CVE-2026-44285)

Download JSON