Cross-Tenant Data Access Vulnerability in FastGPT by Labring
CVE-2026-54601
6.3MEDIUM
What is CVE-2026-54601?
FastGPT, an open-source AI knowledge base platform, has a vulnerability affecting versions 4.14.17 to just before 4.15.0-beta4. Authenticated tenant users can exploit the API endpoint POST /api/core/dataset/collection/create/reTrainingCollection, potentially allowing them to use a server-owned datasetId from another tenant. This oversight results in mixed dataset objects that compromise authorization decisions, enabling unauthorized read, update, and delete access across different tenants if mixed object IDs are known. This critical issue has been addressed in version 4.15.0-beta4.
Affected Version(s)
FastGPT >= 4.14.17, < 4.15.0-beta4
