File Write Bypass in FastGPT's Python Sandbox
CVE-2026-32128

6.3MEDIUM

Key Information:

Vendor: Labring
Status: Fastgpt
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-32128?

The FastGPT platform includes a Python Sandbox that is designed to enforce guardrails curbing file write operations. However, versions prior to 4.14.7 are susceptible to a significant security vulnerability where an attacker can bypass these restrictions. By remapping the standard output (stdout) to an arbitrary writable file descriptor through the use of the fcntl system call, unauthorized file writes can occur. This enables the creation or overwriting of files within the sandbox environment, undermining the intended protective measures put in place to prevent such actions.

Affected Version(s)

FastGPT <= 4.14.7

References

https://github.com/labring/FastGPT/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 10, 2026

CVE-2026-32128 Data

JSON

Labring

What is CVE-2026-32128?

Affected Version(s)

References

CVSS V3.1

Timeline