๐Ÿ” CVE Alert

CVE-2026-61684

UNKNOWN 0.0

FastGPT: Unauthenticated cross-tenant data access via forgeable plugin-invoke JWT (default INVOKE_TOKEN_SECRET='token')

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/* authenticate only by verifying a JWT signed with INVOKE_TOKEN_SECRET, which defaults to the constant string token and was not set in official deployment templates. An unauthenticated attacker can self-sign an HS256 JWT and reach /api/invoke/userInfo to disclose cross-tenant user PII by attacker-supplied tmbId values, or /api/invoke/fileUpload to write attacker-controlled content into chat files. This issue is fixed in version 4.15.0-beta5.

CWE CWE-798
Vendor labring
Product fastgpt
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for labring fastgpt

Be the first to know when new unknown vulnerabilities affecting labring fastgpt are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

labring / FastGPT
= 4.15.0-beta4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/labring/FastGPT/security/advisories/GHSA-w732-rq8c-chc8 github.com: https://github.com/labring/FastGPT/pull/7170 github.com: https://github.com/labring/FastGPT/commit/f5f1e58b25571b7107ca49d9bf96bb2b0e0a620a github.com: https://github.com/labring/FastGPT/releases/tag/v4.15.0-beta5