CVE-2026-40252
Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
18th
FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4.
| CWE | CWE-284 CWE-639 |
| Vendor | labring |
| Product | fastgpt |
| Published | Apr 10, 2026 |
| Last Updated | Apr 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for labring fastgpt
Be the first to know when new unknown vulnerabilities affecting labring fastgpt are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
labring / FastGPT
< 4.14.10.4