CVE-2026-55418 in FastGPTinfo

Zusammenfassung

von MITRE • 08.07.2026

FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that the key belongs to the caller's team. Because S3 object keys are global within the bucket and carry the tenant id only as a path segment, an attacker can supply another team's key and obtain its file contents through the chat-file presign endpoint or dataset preview endpoint. This issue is fixed in version v4.15.0-beta5.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Zuständig

GitHub M

Reservieren

16.06.2026

Veröffentlichung

08.07.2026

Moderieren

akzeptiert

Eintrag

VDB-376716

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Do you need the next level of professionalism?

Upgrade your account now!