CVE-2026-55418 in FastGPTinfo

Summary

by MITRE • 07/08/2026

FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that the key belongs to the caller's team. Because S3 object keys are global within the bucket and carry the tenant id only as a path segment, an attacker can supply another team's key and obtain its file contents through the chat-file presign endpoint or dataset preview endpoint. This issue is fixed in version v4.15.0-beta5.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability affects FastGPT, an open-source AI knowledge base platform that processes files through S3 object storage. The flaw exists in the file handling mechanisms where two specific endpoints authorize access to S3 objects without proper validation of the requesting team's ownership of the target resource. The vulnerability stems from a critical design oversight in the authorization flow where S3 object keys are accepted directly from client requests without verification against the caller's team context.

The technical implementation demonstrates a classic privilege escalation weakness that violates fundamental security principles of access control. When FastGPT processes file requests through chat-file presign endpoints or dataset preview endpoints, it accepts S3 object keys as provided by the client without performing any validation to ensure these keys belong to the requesting team's tenant. This design flaw creates a severe information disclosure vulnerability because S3 object keys are globally unique within a bucket but only encode tenant identification through path segments rather than explicit ownership attributes.

The operational impact of this vulnerability is significant as it allows attackers to bypass team-based access controls and retrieve confidential files belonging to other teams within the same S3 bucket. An attacker can simply construct a request containing another team's S3 object key, submit it through the vulnerable endpoints, and gain unauthorized access to that team's file contents. This represents a direct violation of data isolation principles and could lead to exposure of sensitive information, intellectual property, or confidential business data across different tenant contexts within the same storage infrastructure.

This vulnerability aligns with CWE-284 (Improper Access Control) and maps to ATT&CK technique T1078 (Valid Accounts) as it exploits legitimate authentication mechanisms to access unauthorized resources. The flaw also demonstrates characteristics of privilege escalation through improper resource validation, similar to CWE-732 (Incorrect Permission Assignment for Critical Resource) where the system fails to enforce proper access boundaries between distinct tenant contexts. The fix implemented in version v4.15.0-beta5 addresses this by introducing proper authorization checks that validate S3 object keys against the requesting team's ownership context before permitting access to sensitive file contents through either the chat-file presign endpoint or dataset preview endpoint.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!