External risk intelligence

FastGPT Workflow Artifact Download Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-50562

The vulnerability exists within CI/CD workflow configurations and build-time processes. It is restricted to the development and deployment pipeline rather than a production service or internet-facing application endpoint.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in FastGPT, a knowledge-based AI application platform, that could allow for the injection of malicious code during the build process. Specifically, improperly secured workflow jobs could be tricked into downloading artifacts from untrusted sources, potentially leading to the deployment of attacker-controlled images.

  • Unsafe build processes can introduce malicious code.
  • Threat to supply chain integrity and code deployment.
  • Verify relevance and exposure within development pipelines.

Attack Path

How an attacker could exploit the issue

An attacker could compromise the FastGPT platform by injecting malicious code into the project's build process. Specifically, by submitting a pull request with a compromised Docker image, an attacker could trick privileged workflow jobs into downloading and pushing these attacker-controlled images to GitHub Container Registry (GHCR). For documentation previews, these compromised images could then be deployed with sensitive secrets, potentially allowing further compromise.

  • Entry condition: Submit a pull request with malicious code.
  • Trigger point: Artifacts from untrusted pull requests are used.
  • Resulting risk: Secrets deployed with documentation previews.

Live Threat

Current exploitation, exposure, and threat context

FastGPT's build process could allow an attacker to push malicious Docker images to GitHub Container Registry (GHCR). When supported by the advisory, these images could be used for documentation previews, potentially deploying with sensitive secrets.

  • Attacker-controlled Docker images.
  • Untrusted code in workflow files.
  • Compromised secrets during previews.

Operational Fix

Recommended remediation, mitigation, and detection steps

The FastGPT platform's build process is susceptible to attack if untrusted code is introduced into specific workflow files. This could allow an attacker to push malicious Docker images to GHCR and potentially deploy them with secrets, impacting documentation preview functionality. Teams responsible for CI/CD pipelines and FastGPT platform administration should prioritize identifying affected systems and owners to plan remediation.

  • Platform and security teams own this issue.
  • Verify workflow configurations and artifact sources.
  • Plan remediation during the next maintenance window.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is FastGPT and how is it used?

FastGPT is a platform designed for building knowledge-based AI applications. It allows users to leverage AI models to process and interact with their own datasets. The software includes automation tools and build pipelines that help developers manage the deployment of these AI services, often utilizing containerized environments to handle the application code and supporting documentation.

What is the vulnerability in CVE-2026-50562?

This vulnerability is an issue of improper trust in build artifacts, specifically categorized as including the inclusion of untrusted code and supply chain weaknesses. In plain English, the system's automated build process can be tricked into treating malicious files as legitimate. This allows an attacker to inject their own software images into the pipeline, potentially leading to unauthorized code execution or the exposure of sensitive configuration secrets.

How can an attacker trigger this vulnerability?

The process is triggered when an attacker submits a pull request containing malicious code or a compromised Docker image to the project. The vulnerability does not activate under normal conditions where only verified, trusted code is processed. It specifically relies on the automated workflow files incorrectly downloading and deploying artifacts that originated from these untrusted, externally-sourced pull requests.

Do I need to worry about this if I use FastGPT?

According to Halo Surface Signal, this issue is considered unlikely to affect production services directly because it exists within the development and CI/CD pipeline rather than an internet-facing application endpoint. You should focus your attention on the internal systems responsible for building, testing, and deploying your documentation previews or application containers, as these are the components where the risk of unauthorized image deployment is concentrated.

When should I take action for this CVE?

You should prioritize this during your next scheduled maintenance window. Start by identifying who owns your CI/CD workflow configurations and review the specific GitHub workflow files identified in the advisory. The goal is to verify and secure your artifact sources to ensure that only trusted code can trigger privileged build jobs, effectively closing the path for malicious image injection.

References