Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4.

N/A

访问控制不恰当

FastGPT 安全漏洞

FastGPT是labring开源的一款基于大语言模型的开源知识库问答系统。 FastGPT 4.14.10.4之前版本存在安全漏洞，该漏洞源于访问控制不当，任何经过身份验证的团队通过提供外部appId即可访问和执行属于其他团队的应用程序，可能导致跨租户数据暴露和未经授权的私有AI工作流执行。

N/A

N/A