Information Disclosure Vulnerability in FastGPT AI Application Platform
CVE-2026-54602

7.1HIGH

Key Information:

Vendor

Labring

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-54602?

FastGPT, a knowledge-based AI application platform, contains an information disclosure vulnerability that affects versions prior to 4.15.0. This vulnerability occurs when authenticated users can access LLM request and response traces simply by knowing the requestId. The malfunction lies in the API endpoint GET /api/core/ai/record/getRecord, which does not enforce team scoping when returning sensitive data, allowing users to read prompts and retrieved RAG chunks from other teams. This security flaw has been addressed in version 4.15.0, where proper scoping measures have been implemented to prevent unauthorized data access.

Affected Version(s)

FastGPT < 4.15.0

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.