2 matches found
CVE-2026-61684
CVE-2026-61684 affects FastGPT, specifically versions around 4.15.0-beta4. The vulnerability stems from plugin invoke reverse-call endpoints under /api/invoke/* that authenticated solely by a JWT signed with INVOKE_TOKEN_SECRET, which defaults to the literal string token and was not set in offici...
CVE-2026-61684 FastGPT: Unauthenticated cross-tenant data access via forgeable plugin-invoke JWT (default INVOKE_TOKEN_SECRET='token')
FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/ authenticate only by verifying a JWT signed with INVOKETOKENSECRET, which defaults to the constant string token and was not set in official deployment templates. ...