CVE-2026-33075
Published: 20 March 2026
Summary
CVE-2026-33075 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Fastgpt Fastgpt. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SA-12 (Supply Chain Protection) and SR-3 (Supply Chain Controls and Processes).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements supply chain controls and processes to protect CI/CD workflows from arbitrary code execution, secret exfiltration, and malicious Docker image pushes triggered by untrusted pull requests.
Protects against supply chain risks by preventing unauthorized modifications and compromises during development and distribution of components like Docker images built from attacker-controlled Dockerfiles.
Restricts access to changes in GitHub Actions workflow configurations, mitigating the risk of deploying vulnerable pull_request_target workflows that checkout and execute untrusted fork code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables arbitrary code execution in privileged CI workflow via attacker-controlled Dockerfile (T1059.004 Unix Shell), secret exfiltration from injected env vars (T1041), and supply chain compromise via malicious image push to registry (T1195.002).
NVD Description
FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks…
more
out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.
Deeper analysisAI
CVE-2026-33075 affects FastGPT, an AI Agent building platform, specifically in versions 4.14.8.3 and below. The vulnerability resides in the fastgpt-preview-image.yml GitHub Actions workflow, which enables arbitrary code execution and secret exfiltration. This occurs because the workflow uses the pull_request_target event trigger, granting it access to repository secrets, while checking out code from the pull request author's fork and subsequently building and pushing Docker images based on attacker-controlled Dockerfiles.
Any external contributor can exploit this vulnerability by submitting a malicious pull request. The attacker-controlled code from their fork executes in an environment with repository secret privileges, allowing arbitrary code execution, exfiltration of secrets, and a supply chain attack by pushing malicious Docker images to the production container registry.
The GitHub security advisory at https://github.com/labring/FastGPT/security/advisories/GHSA-xfx8-w35j-485c notes that no patch was available at the time of publication on 2026-03-20.
FastGPT's role as an AI Agent platform introduces relevance to AI/ML workflows, where supply chain compromises could propagate risks to downstream AI deployments. No real-world exploitation has been reported in the provided details.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai