CVE-2026-55418 PUBLISHED

FastGPT: S3 presign/read handlers do not bind the object key to the caller's team (cross-team file disclosure)

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 07.07.2026 Updated: 07.07.2026

FastGPT is an open source AI knowledge base platform. Prior to v4.15.0-beta5, two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request, without checking that the key belongs to the caller's team. Because S3 object keys are global within the bucket and carry the tenant id only as a path segment, an attacker can supply another team's key and obtain its file contents through the chat-file presign endpoint or dataset preview endpoint. This issue is fixed in version v4.15.0-beta5.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 8.6

Product Status

Vendor labring
Product FastGPT
Versions
  • Version < 4.15.0-beta5 is affected

References

Problem Types

  • CWE-639: Authorization Bypass Through User-Controlled Key CWE