CVE-2026-33075 affects labring's FastGPT AI Agent building platform, specifically versions 4.14.8.3 and earlier. The vulnerability arises from the use of the GitHub Actions workflow file fastgpt-preview-image.yml, which employs the pull_request_target event. This event runs with elevated privileges, including access to repository secrets, but the workflow checks out code from the pull request author's fork. This combination allows an attacker who can submit a pull request to execute arbitrary code within the workflow context. The attacker can craft malicious Dockerfiles that are built and pushed as container images to the production container registry, effectively enabling a supply chain attack. This can lead to the injection of malicious code into production environments consuming these images. The vulnerability is categorized under CWE-494 (Download of Code Without Integrity Check) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No patch was available at the time of publication, increasing the urgency for mitigation.

The impact of this vulnerability is severe for organizations using FastGPT in their development workflows. Attackers can gain arbitrary code execution within the CI/CD pipeline, leading to the exfiltration of sensitive repository secrets such as API keys, tokens, and credentials. The ability to push malicious Docker images to the production container registry enables supply chain attacks that can compromise downstream consumers of these images, potentially affecting production environments and critical infrastructure. This can result in data breaches, unauthorized access, service disruption, and reputational damage. The vulnerability affects the integrity and confidentiality of the software supply chain and can lead to widespread compromise if exploited in environments with automated deployment pipelines. Given the criticality and ease of exploitation, organizations face a high risk of compromise if they do not take immediate action.

To mitigate this vulnerability, organizations should immediately audit their use of GitHub Actions workflows, especially those triggered by pull_request_target events that access repository secrets. Avoid checking out code from untrusted forks in workflows with elevated privileges. Instead, separate workflows that require secrets from those that build untrusted code, or use pull_request events without access to secrets for untrusted code. Implement strict code review policies and restrict who can submit pull requests that trigger privileged workflows. Use ephemeral or limited-scope secrets and rotate them regularly. Monitor container registries for unexpected image pushes and implement image signing and verification to detect tampering. Until an official patch is released, consider disabling or restricting the vulnerable workflow. Employ runtime security controls to detect anomalous container behavior. Finally, stay updated with vendor advisories for patches and apply them promptly once available.