CVE-2026-54602
FastGPT: Cross-team LLM request/response disclosure (IDOR) via /api/core/ai/record/getRecord
CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
13th
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated user to read another team's prompts, retrieved RAG chunks, and completions if the requestId is known. This issue is fixed in version 4.15.0.
| CWE | CWE-639 |
| Vendor | labring |
| Product | fastgpt |
| Published | Jul 7, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for labring fastgpt
Be the first to know when new unknown vulnerabilities affecting labring fastgpt are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
labring / FastGPT
< 4.15.0