CVE-2026-32128
Received Received - Intake

Sandbox Bypass in FastGPT Allows Arbitrary File Writes

Vulnerability report for CVE-2026-32128, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-11

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description

FastGPT is an AI Agent building platform. In 4.14.7 and earlier, FastGPT's Python Sandbox (fastgpt-sandbox) includes guardrails intended to prevent file writes (static detection + seccomp). These guardrails are bypassable by remapping stdout (fd 1) to an arbitrary writable file descriptor using fcntl. After remapping, writing via sys.stdout.write() still satisfies the seccomp rule write(fd==1), enabling arbitrary file creation/overwrite inside the sandbox container despite the intended no file writes restriction.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-11
Last Modified
2026-03-19
Generated
2026-07-06
AI Q&A
2026-03-12
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
fastgpt fastgpt to 4.14.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FastGPT's Python Sandbox (fastgpt-sandbox) version 4.14.7 and earlier. The sandbox includes guardrails designed to prevent file writes using static detection and seccomp rules. However, these protections can be bypassed by remapping the standard output (stdout, file descriptor 1) to an arbitrary writable file descriptor using the fcntl system call. After this remapping, writing through sys.stdout.write() still triggers the seccomp rule for writing to fd 1, allowing an attacker to create or overwrite arbitrary files inside the sandbox container despite the intended restriction against file writes.

Impact Analysis

This vulnerability allows an attacker with access to the FastGPT Python Sandbox to bypass file write restrictions and create or overwrite arbitrary files within the sandbox container. This can lead to unauthorized modification of files, potential data corruption, or persistence of malicious code inside the container environment. The impact includes confidentiality, integrity, and availability risks as indicated by the CVSS score.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart