CVE-2026-54607 in FastGPTinfo

Summary

by MITRE • 07/08/2026

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, whose remote reference resolver fetches $ref URLs without FastGPT's internal-address guard and returns fetched content inline, allowing an authenticated team member to read internal services or cloud metadata. This issue is fixed in version 4.15.0-beta4.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability exists within FastGPT's HTTP-tool OpenAPI schema importer functionality, representing a classic remote code execution and information disclosure risk that stems from inadequate input validation and insecure deserialization practices. The flaw occurs when the system validates only the top-level URL of an OpenAPI schema while failing to properly sanitize or restrict subsequent $ref references that are resolved by the underlying SwaggerParser.bundle component. This architectural oversight creates a pathway for authenticated attackers to bypass intended network security boundaries and access internal services or cloud metadata that should remain protected from external reach.

The technical implementation of this vulnerability follows a multi-stage attack pattern that leverages the trust relationship between FastGPT's internal components. When an authenticated team member submits an OpenAPI schema containing malicious $ref references, the system's initial validation permits the request to proceed without proper address sanitization. The SwaggerParser.bundle component then recursively resolves these references without FastGPT's internal address guards, effectively allowing it to fetch content from internal network resources or cloud metadata services that would normally be inaccessible from external networks. This behavior constitutes a direct violation of secure coding principles and represents an information disclosure vulnerability categorized under CWE-209 and potentially CWE-918.

The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with access to internal network services that may contain sensitive configuration data, service endpoints, or metadata about the underlying infrastructure. The authenticated nature of the attack means that threat actors need only compromise a legitimate team member's credentials rather than attempting to gain unauthorized access through external exploits. This significantly lowers the attack threshold while increasing the potential damage scope. From an ATT&CK framework perspective, this vulnerability maps to techniques such as T1071.004 (Application Layer Protocol: DNS) and T1566 (Phishing) for initial access, followed by T1083 (File and Directory Discovery) and T1046 (Network Service Scanning) for reconnaissance activities.

Mitigation strategies should focus on implementing comprehensive input validation and address sanitization before any remote reference resolution occurs. The system must enforce strict network boundary controls that prevent the SwaggerParser.bundle from accessing internal addresses or services, requiring explicit whitelisting of allowed domains or IP ranges for external references. Additionally, FastGPT should implement proper isolation mechanisms between the schema import process and internal network resources, ensuring that no unauthorized access can occur through the OpenAPI import functionality. The fix in version 4.15.0-beta4 likely addresses this by strengthening the validation logic and implementing proper address filtering mechanisms that prevent the bypass of internal security controls during the schema processing phase. Organizations should also consider implementing network segmentation and monitoring solutions to detect unusual patterns of internal resource access that might indicate exploitation attempts.

Responsible

GitHub M

Reservation

06/15/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!