CVE-2026-33075 in FastGPT
Summary
by MITRE • 03/20/2026
FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33075 resides within the FastGPT AI Agent building platform, specifically affecting versions 4.14.8.3 and earlier. This security flaw manifests in the fastgpt-preview-image.yml workflow which operates under a dangerous configuration that combines repository secret access with untrusted code execution capabilities. The workflow utilizes the pull_request_target GitHub event trigger, which executes in the context of the base repository rather than the pull request fork, creating a critical security gap that allows external attackers to exploit the system's trust model.
The technical implementation of this vulnerability stems from the workflow's design pattern where it checks out code from the pull request author's fork while maintaining access to repository secrets through the pull_request_target event. This configuration enables an attacker to craft malicious Dockerfiles that are executed within the build environment, providing them with the ability to execute arbitrary code on the build server. The vulnerability is classified under CWE-470 as it involves the use of insecure functions that allow for code injection, specifically through the manipulation of Dockerfile content. The flaw directly enables a supply chain attack vector by allowing attackers to compromise the production container registry through the compromised build process.
The operational impact of this vulnerability extends far beyond simple code execution, as it provides attackers with complete access to repository secrets and credentials that are typically protected from external contributors. Any individual with the ability to submit a pull request to the repository can exploit this vulnerability to exfiltrate sensitive information including API keys, database credentials, and other confidential data stored in the repository's secret management system. The attack chain begins with an attacker submitting a malicious pull request containing a compromised Dockerfile, followed by the workflow executing this code with elevated privileges, and concludes with the attacker gaining access to the build environment's secrets and potentially pushing malicious images to the production registry. This vulnerability directly aligns with ATT&CK technique T1059.001 for execution through command and script interpreters and T1531 for credential access through the exploitation of repository secrets.
The supply chain attack capability represents one of the most concerning aspects of this vulnerability, as it allows attackers to compromise not just the immediate repository but potentially all downstream systems that consume the compromised container images. When the malicious Dockerfile is executed, it can modify the build process to include backdoors, malicious code, or simply exfiltrate secrets before the final image is pushed to the production container registry. This creates a persistent threat that can affect multiple systems and deployments that rely on the compromised build artifacts. Organizations utilizing FastGPT in their development workflows face significant risk of credential theft, service disruption, and potential data breaches. The lack of a patch at the time of publication leaves affected systems vulnerable indefinitely, requiring immediate manual intervention to address the workflow configuration and implement proper security controls.
Mitigation strategies should focus on immediate workflow reconfiguration to eliminate the use of pull_request_target for workflows that require secret access, implementing proper code review processes, and establishing strict validation of Dockerfile content. Organizations should also consider implementing a principle of least privilege for automated workflows, ensuring that build processes only have access to the minimum required permissions. The recommended approach includes switching to pull_request events that execute in the context of the pull request fork without secret access, or implementing a separate trusted build environment that validates all code changes before execution. Additionally, organizations should implement continuous monitoring of their container registries for suspicious image pushes and establish automated security scanning for all build artifacts to detect compromised images before they reach production environments.