{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33075", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.344Z", "datePublished": "2026-03-20T08:37:16.169Z", "dateUpdated": "2026-03-20T13:48:05.632Z"}, "containers": {"cna": {"title": "FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml", "problemTypes": [{"descriptions": [{"cweId": "CWE-494", "lang": "en", "description": "CWE-494: Download of Code Without Integrity Check", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-829", "lang": "en", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c"}], "affected": [{"vendor": "labring", "product": "FastGPT", "versions": [{"version": "<= 4.14.8.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:37:16.169Z"}, "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication."}], "source": {"advisory": "GHSA-xfx8-w35j-485c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:47:53.551950Z", "id": "CVE-2026-33075", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:48:05.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33075", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:47:53.551950Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:48:02.604Z"}}], "cna": {"title": "FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml", "source": {"advisory": "GHSA-xfx8-w35j-485c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "labring", "product": "FastGPT", "versions": [{"status": "affected", "version": "<= 4.14.8.3"}]}], "references": [{"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c", "name": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-494", "description": "CWE-494: Download of Code Without Integrity Check"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:37:16.169Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33075", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:48:05.632Z", "dateReserved": "2026-03-17T19:27:06.344Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:37:16.169Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*", "matchCriteriaId": "67E11077-E8F5-4C62-90A3-27D47A89D7C6", "versionEndIncluding": "4.14.8.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication."}, {"lang": "es", "value": "FastGPT es una plataforma de creaci\u00f3n de agentes de IA. En las versiones 4.14.8.3 e inferiores, el flujo de trabajo fastgpt-preview-image.yml es vulnerable a la ejecuci\u00f3n de c\u00f3digo arbitrario y a la exfiltraci\u00f3n de secretos por cualquier colaborador externo. Utiliza pull_request_target (que se ejecuta con acceso a los secretos del repositorio) pero extrae c\u00f3digo del fork del autor de la solicitud de extracci\u00f3n, luego construye y env\u00eda im\u00e1genes Docker utilizando Dockerfiles controlados por el atacante. Esto tambi\u00e9n permite un ataque a la cadena de suministro a trav\u00e9s del registro de contenedores de producci\u00f3n. Un parche no estaba disponible en el momento de la publicaci\u00f3n."}], "id": "CVE-2026-33075", "lastModified": "2026-03-23T15:42:34.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:15.877", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-494"}, {"lang": "en", "value": "CWE-829"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.14.8.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FastGPT", "source": "cna", "vendor": "labring"}, "product": "fastgpt", "vendor": "labring"}], "analysis": {"en": {"generated_at": "2026-03-23T16:26:25.184182+00:00", "value": {"mitigation_remediation": ["Modify the fastgpt-preview-image.yml workflow to use pull_request instead of pull_request_target or remove the use of sensitive secrets from the workflow", "Restrict access to repository secrets so that only a controlled workflow can use them", "Validate and whitelist Dockerfile contents before building images", "Update FastGPT to a version newer than 4.14.8.3 once a patch is released", "Monitor GitHub Actions logs for unexpected Docker builds or secret usage"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution via GitHub Actions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the FastGPT platform from labring. Affected software versions are 4.14.8.3 and below. No other products or versions are listed.", "description_and_impact": "FastGPT v4.14.8.3 and earlier have a workflow that uses the pull_request_target trigger, which runs with access to repository secrets, and checks out the code from the pull request author's fork. An attacker can supply a crafted Dockerfile that is built and pushed to the production container registry, granting remote code execution and enabling secret exfiltration. The weakness involves CWE\u2011494 (Unrestricted Write to File) and CWE\u2011829 (Improper Restriction of XML External Entity Reference). This flaw allows an external contributor to execute arbitrary code on the CI runner and compromise all secrets exposed to the workflow.", "risk_and_exploitability": "The CVSS score is 9.4, indicating critical severity. The EPSS score is less than 1%, suggesting a low probability of exploitation detected in the wild so far, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is publicly available via the GitHub Actions pull_request_target mechanism, meaning that any open pull request can be used by an attacker to trigger the exploit. Once the forked code is merged into the CI pipeline, the attacker can execute arbitrary code and exfiltrate secrets."}}}}, "created": "2026-03-20T10:05:02.966613+00:00", "updated": "2026-03-25T14:29:48.670259+00:00", "vendors": ["labring", "labring$PRODUCT$fastgpt"]}