CVE-2026-61646 in FastGPT
Summary
by MITRE • 07/15/2026
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta5, FastGPT's shared SSRF guard validates only the initial request URL before handing the request to axios, and axios follows redirects by default. An authenticated workflow user can configure an HTTP request node to call an attacker-controlled public URL that redirects to cloud metadata, loopback, or internal services that the guard would block on direct request, and the HTTP node returns the response body to the workflow caller. This issue is fixed in version 4.15.0-beta5.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/15/2026
This vulnerability exists within FastGPT's shared server-side request forgery (SSRF) protection mechanism, specifically affecting versions prior to 4.15.0-beta5. The flaw stems from a validation approach that only examines the initial request URL rather than following the complete redirect chain, creating a critical security gap in the platform's access controls.
The technical implementation of this vulnerability exploits how axios handles HTTP requests by defaulting to automatic redirect following. When an authenticated workflow user configures an HTTP request node, they can specify a URL that initially appears benign but redirects to internal or sensitive targets such as cloud metadata services, loopback addresses, or other restricted internal endpoints. The SSRF guard mechanism correctly blocks direct access to these dangerous destinations, but fails to account for the redirect behavior that occurs after the initial validation passes.
This vulnerability allows an authenticated attacker to bypass security controls by leveraging the default redirect behavior of HTTP clients. The workflow system processes the request and returns the response from the final destination back to the workflow caller, effectively enabling access to internal services that should remain protected. The impact extends beyond simple information disclosure as it can provide attackers with access to sensitive metadata, internal APIs, or other confidential resources that are typically restricted from external access.
The vulnerability aligns with CWE-918, Server-Side Request Forgery, which specifically addresses the issue of malicious actors manipulating applications into making unintended requests to internal systems. From an ATT&CK perspective, this represents a technique for privilege escalation and lateral movement through the use of authenticated workflow nodes to access restricted resources. The attack vector demonstrates how default client behaviors can undermine security controls when not properly accounted for in validation logic.
Organizations using FastGPT should immediately update to version 4.15.0-beta5 or later where the fix addresses this by ensuring that redirect chains are properly validated or by disabling automatic redirects in the HTTP request handling process. Additional mitigations include implementing stricter URL validation policies, monitoring workflow configurations for suspicious redirect patterns, and establishing network segmentation to limit access to internal services even when bypassing initial security controls. The fix should also incorporate proper logging of all HTTP requests and their redirect chains to enable detection of similar patterns in other applications.