CVE-2026-33075
Arbitrary Code Execution in FastGPT Workflow Enables Secret Theft
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastgpt | fastgpt | to 4.14.8.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-494 | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The CVE-2026-33075 vulnerability affects the FastGPT AI Agent building platform in versions 4.14.8.3 and below. It exists in the GitHub Actions workflow defined in `.github/workflows/fastgpt-preview-image.yml` which uses the `pull_request_target` event. This event runs with access to repository secrets but dangerously checks out code from the pull request author's fork."}, {'type': 'paragraph', 'content': 'Because the workflow builds and pushes Docker images using attacker-controlled Dockerfiles from untrusted forks, an external contributor can execute arbitrary code and exfiltrate secrets during the workflow run. This also enables supply chain attacks by pushing malicious images to the production container registry.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the workflow runs with elevated privileges and access to sensitive secrets (such as Aliyun Container Registry credentials and GitHub tokens) while building code from untrusted sources without integrity checks.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including arbitrary code execution within the GitHub Actions environment and secret exfiltration.
- Attackers can steal sensitive secrets such as container registry credentials and GitHub tokens.
- Attackers can push malicious Docker images to the production container registry, enabling supply chain attacks that compromise downstream deployments.
- Registry credentials theft can allow attackers to overwrite production images or inject malicious code into images used by end users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by auditing your GitHub Actions workflows, specifically the `.github/workflows/fastgpt-preview-image.yml` file, to check if it uses the `pull_request_target` event and whether it checks out code from pull request forks without restrictions.'}, {'type': 'paragraph', 'content': 'You should look for the presence of the following in your workflow configuration:'}, {'type': 'list_item', 'content': 'Use of `pull_request_target` event without label gating, merge requirements, or branch restrictions.'}, {'type': 'list_item', 'content': "Checkout step that overrides `ref` and `repository` to pull code from the PR author's fork, e.g.: `uses: actions/checkout@v3` with `ref: ${{ github.event.pull_request.head.ref }}` and `repository: ${{ github.event.pull_request.head.repo.full_name }}`."}, {'type': 'paragraph', 'content': 'To detect if the vulnerability is being exploited or if secrets have been exfiltrated, you can audit your GitHub Actions logs for suspicious Docker build commands or unexpected network connections during workflow runs.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect suspicious activity include:'}, {'type': 'list_item', 'content': 'Review recent workflow runs in GitHub Actions UI or via GitHub CLI: `gh run list --workflow=fastgpt-preview-image.yml`'}, {'type': 'list_item', 'content': 'Inspect logs of suspicious runs: `gh run view <run-id> --log`'}, {'type': 'list_item', 'content': 'Audit Docker images pushed to Aliyun Container Registry for unexpected tags or images.'}, {'type': 'list_item', 'content': 'Check for unauthorized network connections or data exfiltration attempts in your CI environment logs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Replace the use of `pull_request_target` event in the workflow with a safer two-step process: use a `pull_request` workflow to build the Docker image without pushing, then a `workflow_run` workflow to scan and push the image with elevated privileges.
- Remove the `ref` and `repository` overrides in the checkout step to ensure only trusted base branch code is built, preventing execution of untrusted PR code.
- Add environment protection rules requiring maintainer approval before running the workflow.
- Immediately rotate all exposed secrets including `FASTGPT_ALI_IMAGE_USER`, `FASTGPT_ALI_IMAGE_PSW`, and any personal access tokens.
- Audit the Aliyun Container Registry for unauthorized image pushes or tag overwrites.
- Scope registry credentials to a dedicated service account with limited permissions.