FastGPT Unauthenticated Cross-Tenant Data Access Vulnerability via Forged JWT

Vulnerability

A vulnerability in FastGPT version 4.15.0-beta4 allows unauthenticated cross-tenant data access through the exploitation of the plugin-invoke JWT authentication mechanism. The vulnerability arises because the INVOKE_TOKEN_SECRET, which is supposed to secure the reverse-call endpoints, defaults to a constant string 'token' and is not properly set in official deployment templates. This flaw enables an attacker to self-sign a JWT and access sensitive user information or manipulate chat files across different tenants.

Impact

Exploitation of this vulnerability leads to unauthorized access to personal identifiable information (PII) of users from other tenants, including email addresses, phone numbers, and organizational details. Additionally, it allows for the insertion of files into chat histories under false pretenses.

Reproduction

To reproduce this vulnerability, first, deploy FastGPT using the official Docker templates, which do not include a proper INVOKE_TOKEN_SECRET configuration. Once deployed, an attacker can self-sign a JWT using the default 'token' secret, including an arbitrary payload that specifies a target user's tmbId and teamId. This crafted token can then be used to call the /api/invoke/userInfo endpoint, bypassing authentication and retrieving sensitive user information from the specified tenant.

Remediation

Users can upgrade to FastGPT version 4.15.0-beta5, which addresses this vulnerability by requiring a proper INVOKE_TOKEN_SECRET configuration. Instructions for updating are available in the FastGPT release notes.

Added: Jul 15, 2026, 3:34 PM
Updated: Jul 15, 2026, 3:34 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
3.1
exploitability
8.0
remediation
0.0
relevance
9.8
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.