FastGPT Cross-Tenant Data Disclosure Vulnerability via Unbound initialId Lookup

Vulnerability

A vulnerability in FastGPT versions 4.14.17 prior to 4.15.0-beta5 allows low-privileged tenant users to access another tenant's dataset quotes or full-text content. This occurs through the POST /api/core/chat/record/getCollectionQuote endpoint, where the initialId lookup is not properly bound to the authorized context. An attacker can exploit this by using their own valid appId, chatId, chatItemDataId, and collectionId, while supplying a victim's dataset data id as initialId. The issue is rooted in the fact that the endpoint authenticates the chat and collection context but fails to restrict the initialId lookup to the same tenant, leading to unauthorized data access.

Impact

Exploitation of this vulnerability allows an authenticated tenant user to read another tenant's dataset quotes and full-text content, violating FastGPT's tenant and dataset authorization boundaries. The leaked data includes RAG dataset text, not just metadata.

Reproduction

To reproduce this vulnerability, create two normal tenant users: one as the victim (user_a) and one as the attacker (user_b). As user_a, create a dataset and insert a document containing a unique marker. Then, as user_b, create a separate dataset with a different marker. After establishing this, create an app/chat flow that retains dataset citations for user_b's dataset. Capture the necessary identifiers from user_b's chat context and use a victim-owned dataset data id from user_a's dataset as initialId in a request to the getCollectionQuote endpoint. The response will include the victim's dataset text, demonstrating the cross-tenant data disclosure.

Remediation

Users can update to FastGPT version 4.15.0-beta5, where this vulnerability has been fixed.

Added: Jul 15, 2026, 3:38 PM
Updated: Jul 15, 2026, 3:38 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
8.0
remediation
0.0
relevance
9.7
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.