CVE-2026-54602 in FastGPT
Summary
by MITRE • 07/08/2026
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated user to read another team's prompts, retrieved RAG chunks, and completions if the requestId is known. This issue is fixed in version 4.15.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability exists within FastGPT's authentication and authorization mechanisms, specifically affecting the GET /api/core/ai/record/getRecord endpoint. This represents a critical access control flaw that violates fundamental security principles of data isolation and privilege separation. The issue stems from improper implementation of team scoping controls during the retrieval of large language model interaction records, where the system authenticates users but fails to enforce proper authorization checks based on team membership or ownership.
The technical flaw manifests as a lack of team context validation when processing requests for AI interaction traces. When an authenticated user makes a request to retrieve records using only the requestId parameter, the system retrieves all associated prompt data, retrieved RAG chunks, and model completions without verifying whether the requesting user belongs to the same team that originally generated those interactions. This creates a classic privilege escalation vulnerability where users can access sensitive AI-generated content belonging to other teams simply by knowing the specific request identifiers.
The operational impact of this vulnerability is severe for organizations relying on FastGPT for knowledge-based AI applications, particularly in enterprise environments where data isolation between teams or departments is paramount. An attacker with valid credentials could potentially extract confidential prompts, proprietary RAG context data, and model outputs from competing teams or business units, leading to intellectual property theft, competitive disadvantage, and potential compliance violations. The vulnerability is especially dangerous because it requires minimal information gathering - knowing only a valid requestId allows unauthorized access to sensitive AI interaction data.
This vulnerability aligns with CWE-285 (Improper Authorization) and represents a specific instance of insufficient access control validation. From an ATT&CK framework perspective, this maps to T1566 (Phishing) and T1078 (Valid Accounts) as attackers could leverage legitimate credentials to exploit the authorization gap, and potentially to T1528 (Steal Application Access Token) if they can obtain request identifiers through other means. The fix implemented in version 4.15.0 likely involves adding team scoping checks during record retrieval operations, ensuring that users can only access records associated with their own teams or those for which they have explicit authorization.
Organizations using FastGPT should immediately implement the 4.15.0 update and conduct thorough audits of existing AI interaction data to identify any potential unauthorized access incidents. Additional mitigations include implementing request identifier randomization, adding audit logging for record retrieval operations, and establishing proper team-based access controls that enforce data isolation principles. The vulnerability highlights the importance of comprehensive authorization testing, particularly for API endpoints handling sensitive AI-generated content where data lineage and ownership are critical factors in maintaining security posture.