Description
FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.
Published: 2026-03-20
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via GitHub Actions
Action: Immediate Patch
AI Analysis

Impact

FastGPT v4.14.8.3 and earlier have a workflow that uses the pull_request_target trigger, which runs with access to repository secrets, and checks out the code from the pull request author's fork. An attacker can supply a crafted Dockerfile that is built and pushed to the production container registry, granting remote code execution and enabling secret exfiltration. The weakness involves CWE‑494 (Unrestricted Write to File) and CWE‑829 (Improper Restriction of XML External Entity Reference). This flaw allows an external contributor to execute arbitrary code on the CI runner and compromise all secrets exposed to the workflow.

Affected Systems

The vulnerability affects the FastGPT platform from labring. Affected software versions are 4.14.8.3 and below. No other products or versions are listed.

Risk and Exploitability

The CVSS score is 9.4, indicating critical severity. The EPSS score is less than 1%, suggesting a low probability of exploitation detected in the wild so far, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is publicly available via the GitHub Actions pull_request_target mechanism, meaning that any open pull request can be used by an attacker to trigger the exploit. Once the forked code is merged into the CI pipeline, the attacker can execute arbitrary code and exfiltrate secrets.

Generated by OpenCVE AI on March 23, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Modify the fastgpt-preview-image.yml workflow to use pull_request instead of pull_request_target or remove the use of sensitive secrets from the workflow
  • Restrict access to repository secrets so that only a controlled workflow can use them
  • Validate and whitelist Dockerfile contents before building images
  • Update FastGPT to a version newer than 4.14.8.3 once a patch is released
  • Monitor GitHub Actions logs for unexpected Docker builds or secret usage

Generated by OpenCVE AI on March 23, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Fastgpt
Fastgpt fastgpt
CPEs cpe:2.3:a:fastgpt:fastgpt:*:*:*:*:*:*:*:*
Vendors & Products Fastgpt
Fastgpt fastgpt
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Labring
Labring fastgpt
Vendors & Products Labring
Labring fastgpt

Fri, 20 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.
Title FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml
Weaknesses CWE-494
CWE-829
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Fastgpt Fastgpt
Labring Fastgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T13:48:05.632Z

Reserved: 2026-03-17T19:27:06.344Z

Link: CVE-2026-33075

cve-icon Vulnrichment

Updated: 2026-03-20T13:48:02.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:15.877

Modified: 2026-03-23T15:42:34.453

Link: CVE-2026-33075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:48Z

Weaknesses