PT-2026-60238 · Labring · Fastgpt
Publicado
2026-07-15
·
Atualizado
2026-07-15
·
CVE-2026-50562
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:L |
FastGPT is a knowledge-based AI application platform. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted pull request code in .github/workflows/preview-docs-build.yml and .github/workflows/preview-fastgpt-build.yml can be downloaded by privileged workflow run jobs in .github/workflows/preview-docs-push.yml and .github/workflows/preview-fastgpt-push.yml, allowing attacker-controlled Docker images from the document/ tree or FastGPT build context to be pushed to GHCR and, for documentation previews, deployed with secrets.KUBE CONFIG CN.
Correção
Incorrect Privilege Assignment
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Fastgpt