Resource Authorization Flaw in FastGPT by Labring
CVE-2026-55418
8.6HIGH
What is CVE-2026-55418?
FastGPT, an open-source AI knowledge base platform, has a resource authorization flaw that can lead to unauthorized access to S3 objects. Prior to version v4.15.0-beta5, two file handlers were found to sign or read S3 object keys directly from requests without validating that the key corresponds to the caller's team. This vulnerability allows an attacker to exploit another team's S3 object key, potentially granting access to sensitive files through specific endpoints such as the chat-file presign and dataset preview. The issue has been addressed in version v4.15.0-beta5, emphasizing the importance of proper security measures in resource handling.
Affected Version(s)
FastGPT < 4.15.0-beta5
