FastGPT flaws enable GitHub Actions code execution and NoSQL auth bypass
FastGPT, an AI agent building platform, was disclosed with multiple high-severity vulnerabilities affecting both its application and development pipeline. CVE-2026-33075 impacts versions 4.14.8.3 and earlier and stems from the fastgpt-preview-image.yml GitHub Actions workflow using pull_request_target while checking out untrusted fork code. The flaw allows external contributors to achieve arbitrary code execution in GitHub Actions, exfiltrate secrets, and potentially trigger a supply-chain compromise by building and pushing attacker-controlled container images to the production registry. At disclosure, no patch was available for that issue; GitHub tracked it as GHSA-xfx8-w35j-485c.
Two additional flaws, CVE-2026-40351 and CVE-2026-40352, affect FastGPT versions prior to 4.14.9.5 and were fixed in that release. Both are NoSQL injection bugs caused by missing runtime validation in password-handling logic. The first lets an unauthenticated attacker bypass login checks by supplying MongoDB operators such as a password object matching any value, enabling login as arbitrary users including the root administrator. The second lets an authenticated low-privileged user bypass old-password verification in the password-change endpoint, enabling unauthorized password resets and possible account takeover, with broader impact if combined with ID manipulation.
Timeline
Apr 17, 2026
GitHub advisories disclose FastGPT auth bypass and account takeover bugs
GitHub security advisories published details for CVE-2026-40351 and CVE-2026-40352, describing NoSQL injection flaws in FastGPT versions prior to 4.14.9.5. The disclosures said the bugs could allow login as any user, including root, and unauthorized password changes leading to account takeover.
Apr 17, 2026
FastGPT fixes two NoSQL injection flaws in version 4.14.9.5
FastGPT released version 4.14.9.5 to fix two NoSQL injection vulnerabilities: CVE-2026-40351 in loginByPassword, which could let an unauthenticated attacker bypass authentication, and CVE-2026-40352 in updatePasswordByOld, which could let an authenticated attacker bypass old-password checks and take over accounts.
Mar 20, 2026
FastGPT discloses GitHub Actions RCE flaw as CVE-2026-33075
A security advisory disclosed CVE-2026-33075 affecting FastGPT 4.14.8.3 and earlier, caused by a GitHub Actions workflow using pull_request_target while checking out untrusted fork code. The flaw could enable arbitrary code execution, secret exfiltration, and potential supply-chain compromise through attacker-controlled container builds, and no patch was available at disclosure.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
goshs Flaws Enable Auth Bypass and GitHub Token Leakage
Two high-severity vulnerabilities were disclosed in **goshs**, a Go-based SimpleHTTPServer, affecting multiple pre-release and stable versions. `CVE-2026-34581` impacts versions `1.1.0` through before `2.0.0-beta.2` and allows attackers to abuse the Share Token feature to bypass download restrictions. The flaw can expose broader goshs functionality beyond intended file access controls and may lead to **code execution**. The issue is classified as `CWE-288` and was fixed in `2.0.0-beta.2`. A second flaw, `CVE-2026-40903`, affects goshs versions before `2.0.0-beta.6` and is described as an **ArtiPACKED** vulnerability that can leak `GITHUB_TOKEN` values through GitHub Actions workflow artifacts, even when the token does not appear in repository source code. The issue is mapped to `CWE-829` and carries high confidentiality and integrity impact, extending concern from application access control to CI/CD credential exposure. The vendor lists `2.0.0-beta.6` as the fix version, and a GitHub security advisory has been published.
1 weeks ago
Misconfigured `pull_request_target` GitHub Actions enabled supply chain compromises
Researchers reported that insecure GitHub Actions workflows using the privileged `pull_request_target` trigger exposed major open source repositories to secret theft and supply chain abuse. Sysdig found workflows in projects including **MITRE** `mitre-attack/car`, **Splunk** `security_content`, and **spotipy** that checked out and executed untrusted forked pull request code in privileged CI contexts, enabling exfiltration of secrets and abuse of high-permission `GITHUB_TOKEN` access. Spotipy assigned **`CVE-2025-47928`** and fixed the issue after disclosure, MITRE remediated its workflow, and Splunk patched its pipeline. Wiz later described a large-scale campaign dubbed **prt-scan** that weaponized the same weakness across GitHub, sending more than 500 malicious pull requests in multiple waves and using increasingly tailored, AI-assisted payloads against Python, Node.js, Go, Rust, and GitHub Actions projects. Most attempts were blocked by contributor approval gates and workflow restrictions, but Wiz confirmed compromise of at least two npm packages—**`@codfish/eslint-config`** and **`@codfish/actions`**—across 106 versions, along with theft of credentials including **AWS keys**, **Cloudflare API tokens**, and **Netlify auth tokens**. The incidents underscored that repositories running untrusted PR code under `pull_request_target` can turn CI/CD pipelines into a direct path for secret exposure and downstream package compromise.
2 weeks ago
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
1 months ago