Unauthorized Access Vulnerability in FastGPT Knowledge-Based AI Platform
CVE-2026-61684

8.8HIGH

Key Information:

Vendor

Labring

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61684?

The FastGPT plugin version 4.15.0-beta4 contains an improper authentication vulnerability that allows an unauthenticated attacker to exploit the system by self-signing a JWT. This flaw occurs because the JWT is signed with a constant string token, which is not set in official deployment templates. This oversight permits attackers to access sensitive endpoints, such as /api/invoke/userInfo, potentially leading to the disclosure of cross-tenant user Personally Identifiable Information (PII), and /api/invoke/fileUpload, enabling the upload of malicious content. The issue has been rectified in version 4.15.0-beta5.

Affected Version(s)

FastGPT = 4.15.0-beta4

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.