Skip to main content

FastGPT CVE-2026-61643

MEDIUM
Incorrect Authorization (CWE-863)
2026-07-15 GitHub_M
5.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
5.9 MEDIUM

Network vector confirmed; AC:H because victim app ID must be discovered; PR:L as authentication is mandatory; I:H for arbitrary cross-tenant HTTP tool execution.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 17:51 vuln.today
Analysis Generated
Jul 15, 2026 - 17:51 vuln.today

DescriptionCVE.org

FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, an authenticated FastGPT user can save a workflow node that points to another user's private HTTP toolset by using a crafted saved tool id such as http-<victim_toolset_app_id>/<tool_name>. The normal toolset routes deny access, but the workflow save and runtime path did not apply the same authorization check to the referenced toolset, allowing /api/v2/chat/completions to resolve the saved reference and execute the victim-owned HTTP tool. This issue is fixed in version 4.15.0-beta5.

AnalysisAI

Authorization bypass in FastGPT's workflow engine allows any authenticated platform user to invoke another user's private HTTP toolsets by crafting a workflow node ID in the form http-<victim_toolset_app_id>/<tool_name>. Affected versions span 4.14.17 through pre-4.15.0-beta5; the normal toolset access routes enforce ownership, but the workflow save path and the /api/v2/chat/completions runtime endpoint omit the same check, enabling cross-tenant tool execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to FastGPT instance
Delivery
Discover victim's toolset app ID
Exploit
Craft workflow node with http-<victim_id>/<tool_name>
Execution
Save workflow via unguarded save endpoint
Persist
Execute workflow via /api/v2/chat/completions
Impact
Victim's private HTTP tool fires on attacker's behalf

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) an authenticated FastGPT account on the target instance (PR:L; unauthenticated access is not possible); (2) knowledge of a target user's private HTTP toolset application ID, which is not directly browsable but must be obtained through enumeration, a secondary information disclosure, or prior legitimate access; (3) ability to save and execute a workflow on /api/v2/chat/completions, which is the standard authenticated user capability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N, score 5.9) accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated attacker on a multi-tenant FastGPT instance discovers a co-tenant's toolset app ID through enumeration or a separate information leak. The attacker crafts a workflow node using the ID http-<victim_app_id>/<tool_name> and saves it, bypassing the authorization check absent from the workflow save path. …
Remediation The vendor-released fix is version 4.15.0-beta5, which adds a secondary authorization check during workflow execution (the release notes note 'system tool runs, re-apply secondary permission verification'). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-52552 MEDIUM POC
6.1 Jun 21

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t

CVE-2026-34162 CRITICAL
10.0 Mar 31

Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi

CVE-2026-42302 CRITICAL
9.8 May 08

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of

CVE-2026-40351 CRITICAL
9.8 Apr 17

NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con

CVE-2026-50562 CRITICAL
9.3 Jul 15

GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request

CVE-2026-40352 HIGH
8.8 Apr 17

NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on th

CVE-2026-61684 HIGH
8.8 Jul 15

Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi

CVE-2026-55418 HIGH
8.6 Jul 07

Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by

CVE-2026-54607 HIGH
7.7 Jul 07

Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI

CVE-2026-44285 HIGH
7.7 May 29

Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'

CVE-2026-42345 HIGH
7.7 May 08

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa

CVE-2026-61644 HIGH
7.7 Jul 15

Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tena

Share

CVE-2026-61643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy