FastGPT Broken Access Control Vulnerability Allowing Cross-Tenant Application Access

A broken access control vulnerability has been identified in FastGPT, an AI agent building platform, prior to version 4.14.10.4. This vulnerability allows any authenticated team to access and execute applications belonging to other teams by providing a foreign appId. While the API correctly validates the team token, it fails to verify that the requested application belongs to the authenticated team. As a result, this issue leads to cross-tenant data exposure and unauthorized execution of private AI workflows.

Impact

Exploitation of this vulnerability causes cross-tenant data exposure, unauthorized execution of AI applications, and leakage of sensitive prompts and workflows. Additionally, it could result in financial abuse through resource consumption and intellectual property leakage.

Reproduction

To reproduce this vulnerability, first obtain a valid team token for Team A. Then, acquire a valid appId that belongs to Team B. With these, send a POST request to the '/api/core/chat/team/init' endpoint, including the teamId, teamToken, and the foreign appId. This will authenticate Team A and grant access to the application from Team B, including sensitive data such as system prompts and workflow configurations. The vulnerability can also be exploited by using the '/api/v1/chat/completions' endpoint to execute the accessed application and retrieve AI-generated responses from Team B's private assistant.

Remediation

Users are advised to update to FastGPT version 4.14.10.4 or later, where this vulnerability has been fixed.