Back to overview

CVE-2026-54601

MEDIUM
6.3
CVSS 3.1
Description
FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in a way that persists a server-owned datasetId value from another tenant. This creates mixed dataset objects and downstream dataset, collection, and training endpoints then make authorization decisions from inconsistent ownership anchors, allowing cross-tenant read, update, and delete access when mixed object ids are known. This issue is fixed in version 4.15.0-beta4.

Metadata

CVE ID
CVE-2026-54601
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 19:45 UTC
Published
2026-07-07 21:16 UTC
Last updated
2026-07-07 21:16 UTC
Primary CWE
CWE-915
CWE-915: Improperly Controlled Modification of Dynamically-D…
Vendor / Product
labring / FastGPT
Sources
cve.org  ·  NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected products (1)
VendorProductPlatformVersions
labring FastGPT >= 4.14.17, < 4.15.0-beta4
Weakness (CWE)
CWESourceDescription
CWE-915 cna CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
References (4)
Back to overview