CVE-2026-33075
Received Received - Intake
Arbitrary Code Execution in FastGPT Workflow Enables Secret Theft

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33075
EUVD
EUVD-2026-13645
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastgpt fastgpt to 4.14.8.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
CWE-494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The CVE-2026-33075 vulnerability affects the FastGPT AI Agent building platform in versions 4.14.8.3 and below. It exists in the GitHub Actions workflow defined in `.github/workflows/fastgpt-preview-image.yml` which uses the `pull_request_target` event. This event runs with access to repository secrets but dangerously checks out code from the pull request author's fork."}, {'type': 'paragraph', 'content': 'Because the workflow builds and pushes Docker images using attacker-controlled Dockerfiles from untrusted forks, an external contributor can execute arbitrary code and exfiltrate secrets during the workflow run. This also enables supply chain attacks by pushing malicious images to the production container registry.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the workflow runs with elevated privileges and access to sensitive secrets (such as Aliyun Container Registry credentials and GitHub tokens) while building code from untrusted sources without integrity checks.'}] [1]

Impact Analysis

This vulnerability can have severe impacts including arbitrary code execution within the GitHub Actions environment and secret exfiltration.

  • Attackers can steal sensitive secrets such as container registry credentials and GitHub tokens.
  • Attackers can push malicious Docker images to the production container registry, enabling supply chain attacks that compromise downstream deployments.
  • Registry credentials theft can allow attackers to overwrite production images or inject malicious code into images used by end users.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by auditing your GitHub Actions workflows, specifically the `.github/workflows/fastgpt-preview-image.yml` file, to check if it uses the `pull_request_target` event and whether it checks out code from pull request forks without restrictions.'}, {'type': 'paragraph', 'content': 'You should look for the presence of the following in your workflow configuration:'}, {'type': 'list_item', 'content': 'Use of `pull_request_target` event without label gating, merge requirements, or branch restrictions.'}, {'type': 'list_item', 'content': "Checkout step that overrides `ref` and `repository` to pull code from the PR author's fork, e.g.: `uses: actions/checkout@v3` with `ref: ${{ github.event.pull_request.head.ref }}` and `repository: ${{ github.event.pull_request.head.repo.full_name }}`."}, {'type': 'paragraph', 'content': 'To detect if the vulnerability is being exploited or if secrets have been exfiltrated, you can audit your GitHub Actions logs for suspicious Docker build commands or unexpected network connections during workflow runs.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect suspicious activity include:'}, {'type': 'list_item', 'content': 'Review recent workflow runs in GitHub Actions UI or via GitHub CLI: `gh run list --workflow=fastgpt-preview-image.yml`'}, {'type': 'list_item', 'content': 'Inspect logs of suspicious runs: `gh run view <run-id> --log`'}, {'type': 'list_item', 'content': 'Audit Docker images pushed to Aliyun Container Registry for unexpected tags or images.'}, {'type': 'list_item', 'content': 'Check for unauthorized network connections or data exfiltration attempts in your CI environment logs.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Replace the use of `pull_request_target` event in the workflow with a safer two-step process: use a `pull_request` workflow to build the Docker image without pushing, then a `workflow_run` workflow to scan and push the image with elevated privileges.
  • Remove the `ref` and `repository` overrides in the checkout step to ensure only trusted base branch code is built, preventing execution of untrusted PR code.
  • Add environment protection rules requiring maintainer approval before running the workflow.
  • Immediately rotate all exposed secrets including `FASTGPT_ALI_IMAGE_USER`, `FASTGPT_ALI_IMAGE_PSW`, and any personal access tokens.
  • Audit the Aliyun Container Registry for unauthorized image pushes or tag overwrites.
  • Scope registry credentials to a dedicated service account with limited permissions.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart