Authorization Weakness in FastGPT Knowledge-Based AI Application
CVE-2026-61644
7.7HIGH
What is CVE-2026-61644?
FastGPT suffers from an authorization weakness in its API endpoint /api/core/chat/record/getCollectionQuote. Versions 4.14.17 to 4.15.0-beta5 inadequately validate user permissions for chat and collection context. A low-privileged user can exploit this flaw by submitting a valid appId, chatId, chatItemDataId, and collectionId, while providing a dataset data id from a different tenant. This attack can lead to exposure of sensitive data such as foreign dataset quotes or content. Update to the latest version 4.15.0-beta5 to mitigate this risk.
Affected Version(s)
FastGPT >= 4.14.17, < 4.15.0-beta5
