Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Network endpoint, trivial request (AC:L), needs a low-priv tenant account (PR:L), no UI; crossing the tenant boundary yields a scope change (S:C) with high confidentiality but no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, the POST /api/core/chat/record/getCollectionQuote endpoint authenticates the caller's chat and collection context, but the initialId center-node lookup is not bound to that authorized context. A low-privileged tenant user can call the endpoint with valid attacker-owned appId, chatId, chatItemDataId, and collectionId values while supplying another tenant's dataset data id as initialId, causing the response to include foreign dataset quote or full-text content. This issue is fixed in version 4.15.0-beta5.
AnalysisAI
Cross-tenant data disclosure in FastGPT 4.14.17 through 4.15.0-beta5 lets a low-privileged tenant user read another tenant's dataset content via the POST /api/core/chat/record/getCollectionQuote endpoint. The endpoint validates the caller's chat and collection context but fails to bind the initialId center-node lookup to that authorized context, so an attacker supplying a foreign dataset data id as initialId (while using their own valid appId, chatId, chatItemDataId, and collectionId) receives the victim tenant's dataset quote or full-text content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privileged tenant account on the FastGPT instance (CVSS PR:L) and a valid attacker-owned appId, chatId, chatItemDataId, and collectionId to pass the endpoint's context authentication; the attacker then supplies a foreign tenant's dataset data id as the initialId parameter to the POST /api/core/chat/record/getCollectionQuote endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, base 7.7) is internally consistent with the description: network-reachable, low complexity, requires only a low-privileged authenticated tenant account, no user interaction, and a scope change reflecting the cross-tenant confidentiality breach with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user with a legitimate account on a shared FastGPT instance creates their own app and chat, then calls POST /api/core/chat/record/getCollectionQuote with their own valid appId, chatId, chatItemDataId, and collectionId but substitutes another tenant's dataset data id as initialId. Because the initialId lookup is not authorization-bound, the response returns the victim tenant's dataset quote or full-text content, letting the attacker harvest confidential knowledge-base data by iterating over guessed or enumerated dataset ids. … |
| Remediation | Vendor-released patch: upgrade to FastGPT 4.15.0-beta5 or later, which binds the initialId center-node lookup to the authorized chat/collection context; the fix is tracked in GHSA-mmg6-2g54-j896, PR 7173, and commit 0c1840c7773c5be5d777f86228651479e02155db. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all FastGPT deployments and confirm which are running versions 4.14.17 through 4.15.0-beta5; immediately restrict network access to the POST /api/core/chat/record/getCollectionQuote endpoint via API gateway, WAF, or firewall rules and enable verbose audit logging on all calls to this endpoint to detect cross-tenant queries. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t
Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbi
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of
NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login con
GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request
NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on th
Authentication bypass in FastGPT 4.15.0-beta4 lets unauthenticated remote attackers forge JWTs and access internal plugi
Cross-tenant file disclosure in FastGPT prior to v4.15.0-beta5 allows an attacker to read another team's stored files by
Server-side request forgery in FastGPT before 4.15.0-beta4 lets an authenticated team member abuse the HTTP-tool OpenAPI
Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform'
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packa
Broken object-level authorization in FastGPT before 4.15.0 lets any authenticated user retrieve another team's LLM inter
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44677