CVE-2026-61643 in FastGPTinfo

Summary

by MITRE • 07/15/2026

FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, an authenticated FastGPT user can save a workflow node that points to another user's private HTTP toolset by using a crafted saved tool id such as http-<victim_toolset_app_id>/<tool_name>. The normal toolset routes deny access, but the workflow save and runtime path did not apply the same authorization check to the referenced toolset, allowing /api/v2/chat/completions to resolve the saved reference and execute the victim-owned HTTP tool. This issue is fixed in version 4.15.0-beta5.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability represents a critical authorization bypass flaw in FastGPT's workflow execution system that allows authenticated users to access and execute HTTP tools owned by other users. The issue stems from inconsistent authorization checks between the workflow saving process and the runtime execution path, creating a persistent security gap that could enable unauthorized data exfiltration or malicious command execution through compromised toolsets.

The technical flaw manifests in how FastGPT handles toolset references within workflow nodes, specifically in versions ranging from 4.14.17 through 4.15.0-beta5. During the workflow saving phase, the system properly validates access permissions for toolsets but fails to apply identical authorization checks during runtime execution when processing the /api/v2/chat/completions endpoint. This discrepancy creates a scenario where a malicious user can craft a specific toolset reference string in the format http-<victim_toolset_app_id>/<tool_name> which bypasses normal access controls and allows execution of tools belonging to other users.

The operational impact of this vulnerability extends beyond simple data access, as it enables potential privilege escalation and lateral movement within the FastGPT platform. Attackers could leverage this flaw to execute arbitrary HTTP-based tools owned by other users, potentially accessing sensitive data, performing unauthorized operations, or even establishing persistent access through malicious toolset configurations. This represents a classic case of insufficient authorization checks that violates fundamental security principles.

This vulnerability aligns with CWE-639: Authorization Bypass Through User-Controlled Key and maps to several ATT&CK techniques including T1078 Valid Accounts for initial access, T1566 Phishing for credential compromise, and T1059 Command and Scripting Interpreter for execution. The flaw demonstrates how seemingly minor inconsistencies in authorization logic can create significant security risks, particularly in collaborative platforms where users need to reference shared resources.

The fix implemented in version 4.15.0-beta5 addresses this by enforcing consistent authorization checks throughout the entire workflow lifecycle, ensuring that both save and runtime operations apply identical access control mechanisms. Organizations should implement additional monitoring for unauthorized toolset references and consider implementing least-privilege access controls for HTTP tools to minimize potential impact if similar flaws exist in other components of the platform.

Security practitioners should note that this vulnerability highlights the importance of comprehensive authorization testing across all application paths, particularly in systems where users can create and reference external resources. The issue underscores the need for thorough security reviews of workflow engines and integration points where user-controllable inputs interact with system resources, as these areas often contain complex authorization logic that can introduce subtle but serious security gaps.

The vulnerability demonstrates how modern AI platforms face unique authorization challenges when implementing collaborative features, where legitimate use cases for sharing tools and workflows must be carefully balanced against security requirements. This type of flaw serves as a reminder that security controls must be consistently applied across all code paths and execution contexts within complex applications, particularly those handling user-generated content and external integrations.

Organizations using FastGPT should immediately upgrade to version 4.15.0-beta5 or later to address this vulnerability, while also implementing proper access logging and monitoring for toolset references to detect potential exploitation attempts. Additionally, security teams should conduct thorough audits of similar authorization patterns throughout their AI platform infrastructure to identify and remediate any equivalent vulnerabilities that may exist in other components.

This incident illustrates the critical importance of maintaining consistent security controls across application lifecycles, particularly in platforms where users can dynamically reference external resources. The vulnerability serves as a cautionary example of how authorization bypasses can occur through subtle implementation differences between development phases and runtime execution contexts.

Responsible

GitHub M

Reservation

07/10/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!