CVE-2026-50562 in FastGPTinfo

Summary

by MITRE • 07/15/2026

FastGPT is a knowledge-based AI application platform. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted pull request code in .github/workflows/preview-docs-build.yml and .github/workflows/preview-fastgpt-build.yml can be downloaded by privileged workflow_run jobs in .github/workflows/preview-docs-push.yml and .github/workflows/preview-fastgpt-push.yml, allowing attacker-controlled Docker images from the document/ tree or FastGPT build context to be pushed to GHCR and, for documentation previews, deployed with secrets.KUBE_CONFIG_CN.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability exists in the FastGPT platform's GitHub Actions workflow configuration where untrusted code from pull requests can be executed with elevated privileges during the documentation and application build processes. The flaw stems from insufficient isolation between different workflow stages, allowing malicious actors to inject attacker-controlled Docker images into the build pipeline through the preview-docs-build.yml and preview-fastgpt-build.yml workflows. These workflows operate on untrusted pull request code and can subsequently push artifacts to GitHub Container Registry GHCR without proper validation or sanitization processes. The vulnerability represents a critical privilege escalation issue that maps to CWE-434 Unrestricted Upload of Code and CWE-787 Out-of-bounds Write, as the system allows arbitrary code execution within privileged contexts.

The operational impact of this vulnerability is severe as it enables attackers to compromise the entire documentation preview infrastructure and potentially the FastGPT application itself. When the malicious Docker images are built from the document/ tree or FastGPT build context, they can be pushed to GHCR and subsequently deployed using the secrets.KUBE_CONFIG_CN credential which provides access to Kubernetes clusters. This creates a complete compromise scenario where attackers can execute arbitrary code in production environments, exfiltrate sensitive data, or perform lateral movement within the infrastructure. The attack chain follows ATT&CK techniques such as T1059 Command and Scripting Interpreter for executing malicious code, T1078 Valid Accounts for leveraging legitimate credentials, and T1203 Exploitation for Access Through a Remote Service to gain access through the build system.

The root cause lies in the lack of proper security controls within the GitHub Actions workflows where privileged jobs can directly consume artifacts from untrusted pull request builds without proper verification mechanisms. The workflow configuration fails to implement proper isolation between different security domains, allowing code from potentially compromised pull requests to flow into production-like environments. Implementing security mitigations requires establishing strict artifact validation procedures, implementing proper access controls for privileged workflows, and ensuring that only trusted, verified artifacts can be promoted through the build pipeline. Organizations should enforce least privilege principles for workflow execution, implement artifact signing and verification processes, and establish clear boundaries between untrusted code execution and privileged operations. This vulnerability underscores the importance of securing CI/CD pipelines as they often contain elevated privileges and access to production systems.

Responsible

GitHub M

Reservation

06/04/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!