CVE-2026-44286
Description
FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application's internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17.
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-44286? +
How do I check if I'm vulnerable to CVE-2026-44286? +
Related Vulnerabilities
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) …
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary …
A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server …
pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable …
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability …
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through …