{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33075", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.344Z", "datePublished": "2026-03-20T08:37:16.169Z", "dateUpdated": "2026-03-20T13:48:05.632Z"}, "containers": {"cna": {"title": "FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml", "problemTypes": [{"descriptions": [{"cweId": "CWE-494", "lang": "en", "description": "CWE-494: Download of Code Without Integrity Check", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-829", "lang": "en", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c"}], "affected": [{"vendor": "labring", "product": "FastGPT", "versions": [{"version": "<= 4.14.8.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:37:16.169Z"}, "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication."}], "source": {"advisory": "GHSA-xfx8-w35j-485c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T13:47:53.551950Z", "id": "CVE-2026-33075", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:48:05.632Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33075", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T13:47:53.551950Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T13:48:02.604Z"}}], "cna": {"title": "FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml", "source": {"advisory": "GHSA-xfx8-w35j-485c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "labring", "product": "FastGPT", "versions": [{"status": "affected", "version": "<= 4.14.8.3"}]}], "references": [{"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c", "name": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-494", "description": "CWE-494: Download of Code Without Integrity Check"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T08:37:16.169Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33075", "state": "PUBLISHED", "dateUpdated": "2026-03-20T13:48:05.632Z", "dateReserved": "2026-03-17T19:27:06.344Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T08:37:16.169Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication."}], "id": "CVE-2026-33075", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T09:16:15.877", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-494"}, {"lang": "en", "value": "CWE-829"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.14.8.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FastGPT", "source": "cna", "vendor": "labring"}, "product": "fastgpt", "vendor": "labring"}], "analysis": {"en": {"generated_at": "2026-03-20T09:20:36.000658+00:00", "value": {"mitigation_remediation": ["Disable or remove the fastgpt-preview-image.yml workflow or change its trigger from pull_request_target to pull_request to prevent external PR code from running with repository secrets.", "Restrict the secrets available to the workflow by removing sensitive secrets or limiting them to trusted branches and events.", "Apply the vendor patch as soon as it becomes available; if not, employ the above workflow restrictions until a fix is released.", "Monitor the container registry for anomalous image uploads and set up image signing or scanning to detect tampered builds.", "Review the repository\u2019s workflow permissions and consider moving the CI pipeline to a dedicated environment with restricted access."], "summary": {"action": "Assess Impact", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "Affected vendor: labring FastGPT. Product: FastGPT platform. Affected versions: 4.14.8.3 and earlier. No vendor-provided patch is available as of the advisory. The repository hosts the vulnerable workflow file fastgpt-preview-image.yml used by the CI system for preview builds.", "description_and_impact": "Key detail from vendor description: FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. The workflow uses pull_request_target, which runs with repository secrets, but checks out code from the pull request author's fork and builds Docker images with attacker-controlled Dockerfiles. This allows arbitrary command execution and supply chain compromise on the production container registry.", "risk_and_exploitability": "Risk assessment: The CVSS score is 9.4, indicating critical severity. EPSS score is not available, but the lack of a KEV listing does not reduce the potential impact. The likely attack vector is any public pull request authored by an external contributor, which is inferred from the use of pull_request_target. An attacker could exfiltrate secrets, create malicious Docker images, and distribute compromised containers through the registry, resulting in full system compromise. The exploit requires modifying or pushing a PR to the repository; therefore, the vulnerability is exploitable by external PR authors."}}}}, "created": "2026-03-20T10:05:02.966613+00:00", "updated": "2026-03-20T10:26:09.066540+00:00", "vendors": ["labring", "labring$PRODUCT$fastgpt"]}