PT-2026-32044 · Fastgpt · Fastgpt
Published
2026-04-10
·
Updated
2026-04-11
·
CVE-2026-40252
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
FastGPT versions prior to 4.14.10.4
Description
A broken access control issue (IDOR/BOLA) exists in FastGPT prior to version 4.14.10.4. Authenticated teams can access and execute applications belonging to other teams by providing a foreign
appId. The API validates the team token but does not verify application ownership, leading to cross-tenant data exposure and unauthorized execution of AI workflows.Recommendations
Update to version 4.14.10.4 or later.
Fix
IDOR
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Fastgpt