FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated user to read another team's prompts, retrieved RAG chunks, and completions if the requestId is known. This issue is fixed in version 4.15.0.
Metrics
Affected Vendors & Products
References
History
Tue, 07 Jul 2026 23:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Labring
Labring fastgpt |
|
| Vendors & Products |
Labring
Labring fastgpt |
Tue, 07 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated user to read another team's prompts, retrieved RAG chunks, and completions if the requestId is known. This issue is fixed in version 4.15.0. | |
| Title | FastGPT: Cross-team LLM request/response disclosure (IDOR) via /api/core/ai/record/getRecord | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-07T21:24:20.359Z
Reserved: 2026-06-15T19:45:23.540Z
Link: CVE-2026-54602
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T09:00:14Z