CVE-2026-26075

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

F

astGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition requests from the server, there are certain security issues. In addition to implementing internal network isolation in the deployment environment, this optimization has added stricter internal network address detection. This vulnerability is fixed in 4.14.7.

References

Link	Resource
https://github.com/labring/FastGPT/releases/tag/v4.14.7	Product Release Notes
https://github.com/labring/FastGPT/security/advisories/GHSA-g345-7pqp-c395	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*

History

23 Feb 2026, 16:52

Type	Values Removed	Values Added
References	~~() https://github.com/labring/FastGPT/releases/tag/v4.14.7 -~~	() https://github.com/labring/FastGPT/releases/tag/v4.14.7 - Product, Release Notes
References	~~() https://github.com/labring/FastGPT/security/advisories/GHSA-g345-7pqp-c395 -~~	() https://github.com/labring/FastGPT/security/advisories/GHSA-g345-7pqp-c395 - Vendor Advisory
Summary		(es) FastGPT es una plataforma de creación de Agentes de IA. Debido a que los nodos de adquisición de páginas web de FastGPT, los nodos HTTP, etc., necesitan iniciar solicitudes de adquisición de datos desde el servidor, existen ciertos problemas de seguridad. Además de implementar el aislamiento de red interno en el entorno de despliegue, esta optimización ha añadido una detección más estricta de direcciones de red internas. Esta vulnerabilidad se corrige en 4.14.7.
First Time		Fastgpt Fastgpt fastgpt
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
CPE		cpe:2.3:a:fastgpt:fastgpt::::::::

13 Feb 2026, 14:23

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 22:16

Updated : 2026-02-23 16:52

NVD link : CVE-2026-26075

Mitre link : CVE-2026-26075

CVE.ORG link : CVE-2026-26075

JSON object : View

Products Affected

fastgpt

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-26075", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-12T22:16:06.817", "references": [{"url": "https://github.com/labring/FastGPT/releases/tag/v4.14.7", "tags": ["Product", "Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-g345-7pqp-c395", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. Due to the fact that FastGPT's web page acquisition nodes, HTTP nodes, etc. need to initiate data acquisition requests from the server, there are certain security issues. In addition to implementing internal network isolation in the deployment environment, this optimization has added stricter internal network address detection. This vulnerability is fixed in 4.14.7."}, {"lang": "es", "value": "FastGPT es una plataforma de creaci\u00f3n de Agentes de IA. Debido a que los nodos de adquisici\u00f3n de p\u00e1ginas web de FastGPT, los nodos HTTP, etc., necesitan iniciar solicitudes de adquisici\u00f3n de datos desde el servidor, existen ciertos problemas de seguridad. Adem\u00e1s de implementar el aislamiento de red interno en el entorno de despliegue, esta optimizaci\u00f3n ha a\u00f1adido una detecci\u00f3n m\u00e1s estricta de direcciones de red internas. Esta vulnerabilidad se corrige en 4.14.7."}], "lastModified": "2026-02-23T16:52:24.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B82EB8E-E295-4AC5-B171-838B7FB3A5F0", "versionEndExcluding": "4.14.7"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}