CVE-2026-61644 in FastGPTinfo

Summary

by MITRE • 07/15/2026

FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, the POST /api/core/chat/record/getCollectionQuote endpoint authenticates the caller's chat and collection context, but the initialId center-node lookup is not bound to that authorized context. A low-privileged tenant user can call the endpoint with valid attacker-owned appId, chatId, chatItemDataId, and collectionId values while supplying another tenant's dataset data id as initialId, causing the response to include foreign dataset quote or full-text content. This issue is fixed in version 4.15.0-beta5.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability exists within FastGPT's authentication and authorization mechanisms for the /api/core/chat/record/getCollectionQuote endpoint, representing a classic privilege escalation flaw that allows unauthorized data access across tenant boundaries. This issue affects versions from 4.14.17 through 4.15.0-beta5, where the system properly validates chat and collection context but fails to enforce proper authorization bounds when processing the initialId parameter. The technical flaw stems from a missing validation check that should have ensured the initialId value references data within the authenticated user's authorized context, creating a path for cross-tenant data leakage.

The operational impact of this vulnerability is significant as it enables low-privileged tenant users to access confidential dataset content belonging to other tenants through a carefully crafted API request. The attack requires minimal credentials and can be executed using valid appId, chatId, chatItemDataId, and collectionId values while substituting another tenant's dataset data id for the initialId parameter. This creates a scenario where attackers can extract quote or full-text content from foreign datasets without proper authorization, effectively bypassing multi-tenant isolation controls that should protect individual tenant data sovereignty.

This vulnerability aligns with CWE-285 (Improper Authorization) and represents a specific case of insecure direct object reference where the system fails to validate that the requested resource belongs to the authenticated user's authorized context. The flaw also maps to ATT&CK technique T1078 (Valid Accounts) as it leverages legitimate authentication tokens but exploits authorization boundaries, and potentially T1566 (Phishing) if attackers use compromised accounts to execute this attack. The issue demonstrates poor input validation and inadequate boundary checking in the API's data access controls.

Mitigation strategies should focus on implementing comprehensive context validation that ensures all parameters including initialId reference data within the authenticated user's authorized scope. Organizations should enforce strict parameter validation that cross-references all incoming values against the authenticated session context, implement proper tenant isolation checks before processing any data access requests, and establish automated monitoring for unauthorized data access patterns. The fix implemented in version 4.15.0-beta5 likely includes mandatory context binding for the initialId parameter and enhanced authorization verification steps that prevent cross-tenant data leakage while maintaining legitimate use cases for the API functionality.

Responsible

GitHub M

Reservation

07/10/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!