CVE-2026-32128 is a vulnerability in the FastGPT AI Agent building platform, specifically in its Python Sandbox component (fastgpt-sandbox) versions 4.14.7 and earlier. The sandbox implements guardrails to prevent file writes by combining static detection and seccomp filters that restrict write system calls to file descriptor 1 (stdout). However, the vulnerability arises because these guardrails do not account for the possibility of remapping stdout (fd 1) to another writable file descriptor using the fcntl system call. By remapping stdout to an arbitrary writable file descriptor, an attacker can bypass the seccomp rule that only allows writes to fd 1. Consequently, writing via sys.stdout.write() still passes the seccomp filter but actually writes to a different file descriptor, enabling arbitrary file creation or overwriting inside the sandbox container. This bypass undermines the sandbox's intended no file write restriction, potentially allowing attackers to modify files, inject malicious content, or disrupt sandbox operations. Exploitation requires the ability to execute code within the sandbox with at least low privileges but does not require user interaction. The vulnerability is classified under CWE-184 (Incomplete List of Disallowed Inputs), indicating insufficient input validation or filtering. The CVSS 3.1 base score is 6.3, reflecting a medium severity with network attack vector, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No patches or known exploits are currently documented, but the risk remains significant due to the potential for sandbox escape or unauthorized file manipulation.

The vulnerability allows attackers to bypass sandbox file write restrictions, enabling arbitrary file creation or overwriting within the sandbox container. This can lead to unauthorized modification of files, injection of malicious code, or disruption of sandbox operations. For organizations, this could result in compromised AI agent behavior, data leakage, or persistence of malicious payloads within supposedly isolated environments. Since the sandbox is designed to restrict potentially dangerous operations, this bypass undermines trust in the containment mechanism, increasing the risk of broader system compromise if the sandbox is used in multi-tenant or sensitive environments. The impact spans confidentiality (unauthorized data writes), integrity (file tampering), and availability (potential denial of service through file corruption). Although exploitation requires some privileges, the low complexity and lack of user interaction make it a practical threat. Organizations relying on FastGPT for AI agent development or deployment may face operational risks, intellectual property exposure, or compliance issues if this vulnerability is exploited.

To mitigate this vulnerability, organizations should upgrade FastGPT to a version later than 4.14.7 once a patch is released that properly restricts file descriptor remapping or enhances seccomp filters to detect and block such bypass attempts. Until a patch is available, consider implementing additional sandboxing layers or container security policies that restrict the use of fcntl or remapping of file descriptors within the sandbox environment. Monitoring and alerting on unusual file descriptor operations or unexpected file writes inside sandbox containers can help detect exploitation attempts. Restricting privileges of processes running inside the sandbox to the minimum necessary and isolating sandbox containers from sensitive host resources reduces potential impact. Additionally, review and harden seccomp profiles to explicitly deny remapping operations or writes to file descriptors other than stdout. Employ runtime integrity checks on sandbox files to detect unauthorized modifications. Finally, maintain strict access controls and audit logs for sandbox usage to facilitate incident response.