Authorization Weakness in FastGPT Knowledge-Based AI Application
CVE-2026-61644

7.7HIGH

Key Information:

Vendor

Labring

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61644?

FastGPT suffers from an authorization weakness in its API endpoint /api/core/chat/record/getCollectionQuote. Versions 4.14.17 to 4.15.0-beta5 inadequately validate user permissions for chat and collection context. A low-privileged user can exploit this flaw by submitting a valid appId, chatId, chatItemDataId, and collectionId, while providing a dataset data id from a different tenant. This attack can lead to exposure of sensitive data such as foreign dataset quotes or content. Update to the latest version 4.15.0-beta5 to mitigate this risk.

Affected Version(s)

FastGPT >= 4.14.17, < 4.15.0-beta5

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.