Unauthorized Access Vulnerability in FastGPT Knowledge-Based AI Platform
CVE-2026-61684
8.8HIGH
What is CVE-2026-61684?
The FastGPT plugin version 4.15.0-beta4 contains an improper authentication vulnerability that allows an unauthenticated attacker to exploit the system by self-signing a JWT. This flaw occurs because the JWT is signed with a constant string token, which is not set in official deployment templates. This oversight permits attackers to access sensitive endpoints, such as /api/invoke/userInfo, potentially leading to the disclosure of cross-tenant user Personally Identifiable Information (PII), and /api/invoke/fileUpload, enabling the upload of malicious content. The issue has been rectified in version 4.15.0-beta5.
Affected Version(s)
FastGPT = 4.15.0-beta4
