Skip to main content

FastGPT CVE-2026-61644

| EUVDEUVD-2026-44677 HIGH
Incorrect Authorization (CWE-863)
2026-07-15 GitHub_M
7.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network endpoint, trivial request (AC:L), needs a low-priv tenant account (PR:L), no UI; crossing the tenant boundary yields a scope change (S:C) with high confidentiality but no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:21 vuln.today
Analysis Generated
Jul 15, 2026 - 15:21 vuln.today
CVE Published
Jul 15, 2026 - 14:30 cve.org
HIGH 7.7

DescriptionCVE.org

FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, the POST /api/core/chat/record/getCollectionQuote endpoint authenticates the caller's chat and collection context, but the initialId center-node lookup is not bound to that authorized context. A low-privileged tenant user can call the endpoint with valid attacker-owned appId, chatId, chatItemDataId, and collectionId values while supplying another tenant's dataset data id as initialId, causing the response to include foreign dataset quote or full-text content. This issue is fixed in version 4.15.0-beta5.

AnalysisAI

Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tenant's dataset content via the POST /api/core/chat/record/getCollectionQuote endpoint. The endpoint validates the caller's chat and collection context but fails to bind the initialId center-node lookup to that authorized context, so an attacker supplying a foreign dataset data id as initialId (while using their own valid appId, chatId, chatItemDataId, and collectionId) receives the victim tenant's dataset quote or full-text content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged tenant
Delivery
Create own app/chat/collection context
Exploit
Craft getCollectionQuote request with foreign initialId
Execution
Server resolves unauthorized dataset node
Impact
Read another tenant's dataset content

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated low-privileged tenant account on the FastGPT instance (CVSS PR:L) and a valid attacker-owned appId, chatId, chatItemDataId, and collectionId to pass the endpoint's context authentication; the attacker then supplies a foreign tenant's dataset data id as the initialId parameter to the POST /api/core/chat/record/getCollectionQuote endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7) is internally consistent with the description: network-reachable, low complexity, requires only a low-privileged authenticated tenant account, no user interaction, and a scope change reflecting the cross-tenant confidentiality breach with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user with a legitimate account on a shared FastGPT instance creates their own app and chat, then calls POST /api/core/chat/record/getCollectionQuote with their own valid appId, chatId, chatItemDataId, and collectionId but substitutes another tenant's dataset data id as initialId. Because the initialId lookup is not authorization-bound, the response returns the victim tenant's dataset quote or full-text content, letting the attacker harvest confidential knowledge-base data by iterating over guessed or enumerated dataset ids. …
Remediation Vendor-released patch: upgrade to FastGPT 4.15.0-beta5 or later, which binds the initialId center-node lookup to the authorized chat/collection context; the fix is tracked in GHSA-mmg6-2g54-j896, PR 7173, and commit 0c1840c7773c5be5d777f86228651479e02155db. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all FastGPT deployments and confirm which are running versions 4.14.17 through 4.15.0-beta5; immediately restrict network access to the POST /api/core/chat/record/getCollectionQuote endpoint via API gateway, WAF, or firewall rules and enable verbose audit logging on all calls to this endpoint to detect cross-tenant queries. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-52552 MEDIUM POC
6.1 Jun 21

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t

CVE-2026-34162 CRITICAL
10.0 Mar 31

Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi

CVE-2026-42302 CRITICAL
9.8 May 08

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of

CVE-2026-40351 CRITICAL
9.8 Apr 17

NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con

CVE-2026-50562 CRITICAL
9.3 Jul 15

GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request

CVE-2026-40352 HIGH
8.8 Apr 17

NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on th

CVE-2026-61684 HIGH
8.8 Jul 15

Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi

CVE-2026-55418 HIGH
8.6 Jul 07

Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by

CVE-2026-54607 HIGH
7.7 Jul 07

Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI

CVE-2026-44285 HIGH
7.7 May 29

Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'

CVE-2026-42345 HIGH
7.7 May 08

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa

CVE-2026-54602 HIGH
7.1 Jul 07

Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM inter

Share

CVE-2026-61644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy