CVE-2026-54601
CVE-2026-54601 is a medium-severity vulnerability with a CVSS 3.x base score of 6.3. The underlying weakness is classified as CWE-915.
Key facts
- Severity: Medium (CVSS 3.x base score 6.3)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-915
- Published:
- Last modified:
Description
FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in a way that persists a server-owned datasetId value from another tenant. This creates mixed dataset objects and downstream dataset, collection, and training endpoints then make authorization decisions from inconsistent ownership anchors, allowing cross-tenant read, update, and delete access when mixed object ids are known. This issue is fixed in version 4.15.0-beta4.
Frequently asked questions
- What is CVE-2026-54601?
- FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in a way that persists a server-owned datasetId value from another tenant. This creates mixed dataset objects and downstream dataset, collection, and training endpoints then make authorization decisions from inconsistent ownership anchors, allowing cross-tenant read, update, and delete access when mixed object ids are known. This issue is fixed in version 4.15.0-beta4.
- How severe is CVE-2026-54601?
- CVE-2026-54601 has a CVSS 3.x base score of 6.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2026-54601 being actively exploited?
- It is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS exploit-prediction score is available yet.
- How do I fix CVE-2026-54601?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2026-54601 published?
- CVE-2026-54601 was published on 2026-07-07.
References
- https://github.com/labring/FastGPT/commit/54a53e7d4399f1dfa2913394442c3cf6de672fb3
- https://github.com/labring/FastGPT/pull/7071
- https://github.com/labring/FastGPT/releases/tag/v4.15.0-beta4
- https://github.com/labring/FastGPT/security/advisories/GHSA-qxcq-48gr-93pj
Other CWE-915 vulnerabilities
- CVE-2026-50160 — Critical (CVSS 10.0): Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and…
- CVE-2026-33453 — Critical (CVSS 10.0): Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap…
- CVE-2025-58367 — Critical (CVSS 10.0): DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are…
- CVE-2026-56142 — Critical (CVSS 9.9): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429…
- CVE-2025-2304 — Critical (CVSS 9.4): A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the…
- CVE-2025-24370 — Critical (CVSS 9.3): Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn…