Agents
FastGPT CVE-2026-44284: MCP Tool URL SSRF Bypass via Stored Internal Endpoint in Workflow Execution
FastGPT patched CVE-2026-44284 (CVSS 6.3) in version 4.14.17. The vulnerability exploits an inconsistency in MCP tool URL handling: preview/run endpoints rejected internal network URLs, but create/update endpoints allowed saving internal MCP server URLs like http://localhost:3000/mcp. Workflow execution later used stored URLs without revalidation, enabling authenticated SSRF against internal services. A textbook example of the MCP tool boundary problem where stored-then-fetched URLs bypass runtime protections.
↳ Follow the thread