FastGPT
CVE-2026-61643
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Network vector confirmed; AC:H because victim app ID must be discovered; PR:L as authentication is mandatory; I:H for arbitrary cross-tenant HTTP tool execution.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, an authenticated FastGPT user can save a workflow node that points to another user's private HTTP toolset by using a crafted saved tool id such as http-<victim_toolset_app_id>/<tool_name>. The normal toolset routes deny access, but the workflow save and runtime path did not apply the same authorization check to the referenced toolset, allowing /api/v2/chat/completions to resolve the saved reference and execute the victim-owned HTTP tool. This issue is fixed in version 4.15.0-beta5.
AnalysisAI
Authorization bypass in FastGPT's workflow engine allows any authenticated platform user to invoke another user's private HTTP toolsets by crafting a workflow node ID in the form http-<victim_toolset_app_id>/<tool_name>. Affected versions span 4.14.17 through pre-4.15.0-beta5; the normal toolset access routes enforce ownership, but the workflow save path and the /api/v2/chat/completions runtime endpoint omit the same check, enabling cross-tenant tool execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) an authenticated FastGPT account on the target instance (PR:L; unauthenticated access is not possible); (2) knowledge of a target user's private HTTP toolset application ID, which is not directly browsable but must be obtained through enumeration, a secondary information disclosure, or prior legitimate access; (3) ability to save and execute a workflow on /api/v2/chat/completions, which is the standard authenticated user capability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N, score 5.9) accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker on a multi-tenant FastGPT instance discovers a co-tenant's toolset app ID through enumeration or a separate information leak. The attacker crafts a workflow node using the ID http-<victim_app_id>/<tool_name> and saves it, bypassing the authorization check absent from the workflow save path. … |
| Remediation | The vendor-released fix is version 4.15.0-beta5, which adds a secondary authorization check during workflow execution (the release notes note 'system tool runs, re-apply secondary permission verification'). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t
Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of
NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con
GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request
NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on th
Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi
Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by
Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI
Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa
Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tena
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today