FastGPT AI Platform Exposes Unauthenticated RCE Endpoint, CVSS Score 10.0

CVE-2026-34162 affects FastGPT versions prior to 4.14.9.5. The vulnerability exists in the /api/core/app/httpTools/runTool endpoint, which is exposed without authentication and acts as a server-side request proxy. An unauthenticated attacker can send crafted requests to this endpoint to perform arbitrary HTTP requests from the server, access internal network resources, and potentially achieve remote code execution depending on the server configuration. FastGPT is widely used in enterprise AI deployments for building AI agents and workflows, making this vulnerability particularly dangerous in environments where the platform has access to sensitive internal services. The vulnerability was published on March 31, 2026, and received the maximum CVSS score of 10.0. Organizations running FastGPT should immediately upgrade to version 4.14.9.5 or later. If immediate patching is not possible, restrict network access to the FastGPT instance and implement authentication at the reverse proxy level. Review server logs for unauthorized access to the /api/core/app/httpTools/runTool endpoint.