CVE-2026-61684 in FastGPTinfo

Summary

by MITRE • 07/15/2026

FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/* authenticate only by verifying a JWT signed with INVOKE_TOKEN_SECRET, which defaults to the constant string token and was not set in official deployment templates. An unauthenticated attacker can self-sign an HS256 JWT and reach /api/invoke/userInfo to disclose cross-tenant user PII by attacker-supplied tmbId values, or /api/invoke/fileUpload to write attacker-controlled content into chat files. This issue is fixed in version 4.15.0-beta5.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The FastGPT platform presents a critical authentication bypass vulnerability in version 4.15.0-beta4 that stems from improper token validation mechanisms within its reverse-call endpoint infrastructure. The system relies on JWT authentication for plugin invocations under the /api/invoke/* path but fails to properly secure the INVOKE_TOKEN_SECRET environment variable which defaults to a hard-coded string value of "token". This fundamental configuration oversight creates an exploitable weakness where any attacker can generate valid HS256 signed tokens without knowledge of the secret key, as the default value is publicly known and exposed in deployment templates. The vulnerability manifests through the authentication mechanism that only verifies JWT signatures without ensuring proper secret key management or validation against expected deployment configurations.

The technical flaw represents a classic implementation of weak cryptographic practices where the security of the system depends on a hardcoded secret that should never be part of publicly distributed code or documentation. This issue directly maps to CWE-310, which addresses cryptographic weaknesses in authentication mechanisms, specifically focusing on the use of predictable or hard-coded secrets for token generation and verification. Attackers can exploit this by crafting malicious JWT tokens with the known default secret, allowing them to escalate privileges and access restricted endpoints that should only be available to authenticated users within specific tenant contexts.

The operational impact of this vulnerability extends beyond simple unauthorized access to include serious data exposure and potential data manipulation capabilities. An attacker who successfully exploits this vulnerability can enumerate user information through the /api/invoke/userInfo endpoint by supplying crafted tmbId values, thereby enabling cross-tenant data leakage and privacy violations that compromise user PII across different organizational boundaries. Additionally, the ability to reach the /api/invoke/fileUpload endpoint allows adversaries to write arbitrary content into chat files, potentially leading to persistent malicious payloads or data corruption within the platform's document storage systems. This dual capability creates both reconnaissance and persistence vectors that align with ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting.

The security implications of this vulnerability demonstrate a failure in proper secure coding practices and configuration management, particularly regarding the handling of cryptographic secrets and environment variable initialization. Organizations using FastGPT should immediately implement proper secret rotation procedures and ensure that all deployment templates include clear documentation requiring administrators to set unique, random values for INVOKE_TOKEN_SECRET rather than relying on default configurations. The fix implemented in version 4.15.0-beta5 addresses this by enforcing proper secret validation and ensuring that default values are never used in production environments, thereby preventing the exploitation path that existed in the vulnerable release.

This vulnerability highlights the importance of following security best practices for cryptographic implementations and demonstrates how seemingly minor configuration oversights can create significant security risks. The attack surface is particularly concerning given that FastGPT operates as a knowledge-based platform where user data and organizational information are stored and processed, making unauthorized access to PII and document manipulation capabilities extremely dangerous from both privacy and operational standpoints. The incident serves as a reminder of the critical need for proper environment variable management, regular security audits of deployment configurations, and adherence to principle of least privilege in API endpoint access controls within cloud-based AI platforms.

Responsible

GitHub M

Reservation

07/10/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!