{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32128", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.545Z", "datePublished": "2026-03-11T21:30:26.336Z", "dateUpdated": "2026-03-12T16:18:13.936Z"}, "containers": {"cna": {"title": "FastGPT Python Sandbox Bypass of File-Write Restriction", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-6hw6-mxrm-v6wj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-6hw6-mxrm-v6wj"}], "affected": [{"vendor": "labring", "product": "FastGPT", "versions": [{"version": "<= 4.14.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T21:30:26.336Z"}, "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In 4.14.7 and earlier, FastGPT's Python Sandbox (fastgpt-sandbox) includes guardrails intended to prevent file writes (static detection + seccomp). These guardrails are bypassable by remapping stdout (fd 1) to an arbitrary writable file descriptor using fcntl. After remapping, writing via sys.stdout.write() still satisfies the seccomp rule write(fd==1), enabling arbitrary file creation/overwrite inside the sandbox container despite the intended no file writes restriction."}], "source": {"advisory": "GHSA-6hw6-mxrm-v6wj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T15:31:49.185736Z", "id": "CVE-2026-32128", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T16:18:13.936Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32128", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T15:31:49.185736Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:31:52.975Z"}}], "cna": {"title": "FastGPT Python Sandbox Bypass of File-Write Restriction", "source": {"advisory": "GHSA-6hw6-mxrm-v6wj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "labring", "product": "FastGPT", "versions": [{"status": "affected", "version": "<= 4.14.7"}]}], "references": [{"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-6hw6-mxrm-v6wj", "name": "https://github.com/labring/FastGPT/security/advisories/GHSA-6hw6-mxrm-v6wj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In 4.14.7 and earlier, FastGPT's Python Sandbox (fastgpt-sandbox) includes guardrails intended to prevent file writes (static detection + seccomp). These guardrails are bypassable by remapping stdout (fd 1) to an arbitrary writable file descriptor using fcntl. After remapping, writing via sys.stdout.write() still satisfies the seccomp rule write(fd==1), enabling arbitrary file creation/overwrite inside the sandbox container despite the intended no file writes restriction."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T21:30:26.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32128", "state": "PUBLISHED", "dateUpdated": "2026-03-12T16:18:13.936Z", "dateReserved": "2026-03-10T22:19:36.545Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T21:30:26.336Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE37BFC6-6051-4C66-AED8-9F7F80DC3EE6", "versionEndIncluding": "4.14.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In 4.14.7 and earlier, FastGPT's Python Sandbox (fastgpt-sandbox) includes guardrails intended to prevent file writes (static detection + seccomp). These guardrails are bypassable by remapping stdout (fd 1) to an arbitrary writable file descriptor using fcntl. After remapping, writing via sys.stdout.write() still satisfies the seccomp rule write(fd==1), enabling arbitrary file creation/overwrite inside the sandbox container despite the intended no file writes restriction."}, {"lang": "es", "value": "FastGPT es una plataforma de creaci\u00f3n de agentes de IA. En 4.14.7 y versiones anteriores, el sandbox de Python de FastGPT (fastgpt-sandbox) incluye barreras de seguridad destinadas a prevenir escrituras de archivos (detecci\u00f3n est\u00e1tica + seccomp). Estas barreras de seguridad son eludibles reasignando stdout (fd 1) a un descriptor de archivo arbitrario con permisos de escritura usando fcntl. Despu\u00e9s de la reasignaci\u00f3n, la escritura a trav\u00e9s de sys.stdout.write() a\u00fan satisface la regla de seccomp write(fd==1), lo que permite la creaci\u00f3n/sobrescritura arbitraria de archivos dentro del contenedor del sandbox a pesar de la restricci\u00f3n intencionada de no escritura de archivos."}], "id": "CVE-2026-32128", "lastModified": "2026-03-19T17:38:40.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T22:16:32.633", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit", "Mitigation"], "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-6hw6-mxrm-v6wj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.14.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FastGPT", "source": "cna", "vendor": "labring"}, "product": "fastgpt", "vendor": "labring"}], "analysis": {"en": {"generated_at": "2026-03-19T18:52:45.342546+00:00", "value": {"mitigation_remediation": ["Update to the latest FastGPT release where the sandbox file\u2011write restriction has been corrected.", "If immediate upgrade is not possible, remove or restrict user ability to manipulate file descriptors\u2014tighten seccomp filters, disable stdout remapping or enforce least\u2011privilege execution for sandbox processes.", "Until a patch is available, avoid processing untrusted input in the sandbox or run the sandbox with minimal privileges required for operation."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Creation/Overwrite in Sandbox"}, "threat_synthesis": {"affected_systems": "Vendor: labring. Product: FastGPT. Affected versions: FastGPT 4.14.7 and all earlier releases. Any deployment of these versions is vulnerable due to the file\u2011write guardrail bypass.", "description_and_impact": "FastGPT\u2019s Python sandbox is intended to block file writes through static analysis and a seccomp filter that prohibits writes on file descriptor 1 (stdout). The vulnerability allows an attacker to remap stdout to any writable file descriptor using fcntl, and then perform sys.stdout.write(), which still satisfies the seccomp rule write(fd==1). Consequently, the sandbox can create or overwrite arbitrary files inside its container, violating the guardrail and compromising the integrity or confidentiality of data processed by the sandbox.", "risk_and_exploitability": "The CVSS score of 6.3 indicates a moderate impact, while the EPSS score of less than 1% shows a low probability of exploitation in the wild; it is not listed in the CISA KEV catalog. The attack scenario requires the ability to execute arbitrary Python code within the sandbox. By remapping stdout via fcntl, an attacker can write to any file inside the container, thereby persisting data or tampering with critical files. The vector is effectively local or remote with sufficient code\u2011execution privileges, making the vulnerability exploitable in environments that accept untrusted Python scripts."}}}}, "created": "2026-03-12T09:55:46.953129+00:00", "updated": "2026-03-20T15:36:55.850158+00:00", "vendors": ["labring", "labring$PRODUCT$fastgpt"]}