Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Network endpoint abuse with low complexity, but the description's 'caller/team' framing implies an authenticated tenant user (PR:L); scope changes cross-tenant with high confidentiality-only impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that the key belongs to the caller's team. Because S3 object keys are global within the bucket and carry the tenant id only as a path segment, an attacker can supply another team's key and obtain its file contents through the chat-file presign endpoint or dataset preview endpoint. This issue is fixed in version v4.15.0-beta5.
AnalysisAI
Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by supplying that team's S3 object key to the chat-file presign or dataset preview endpoints. The handlers authorize an unrelated resource but then sign or read the S3 object using a request-supplied key without verifying tenant ownership, so global bucket keys become an IDOR primitive. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets FastGPT's chat-file presign endpoint or dataset preview endpoint and requires the attacker to supply another team's S3 object key; because keys are global within the bucket and carry the tenant id only as a path segment, the attacker must know or derive a victim key. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, 8.6) rates this network-exploitable with no privileges and a changed scope reflecting cross-tenant impact, confidentiality-only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user of Team A learns or guesses another team's S3 object key (keys embed the tenant id only as a path segment and may leak via logs, shared links, or enumeration) and submits it to the chat-file presign or dataset preview endpoint. FastGPT authorizes an unrelated resource, then signs or reads the attacker-supplied key, returning Team B's file contents. … |
| Remediation | Upgrade to the fixed release: Vendor-released patch v4.15.0-beta5 (https://github.com/labring/FastGPT/releases/tag/v4.15.0-beta5), which adds tenant-ownership validation on the request-supplied S3 key. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all FastGPT deployments; confirm whether multi-tenant configuration is enabled; audit S3 access logs for anomalous cross-tenant object key requests. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t
Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of
NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con
GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request
NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on th
Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi
Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI
Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa
Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tena
Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM inter
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42115