Skip to main content

Docker CVE-2026-34042

HIGH
Missing Authorization (CWE-862)
2026-03-27 https://github.com/nektos/act GHSA-x34h-54cw-9825
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 16, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Mar 27, 2026 - 19:38 vuln.today
Patch released
Mar 27, 2026 - 19:38 nvd
Patch available
CVE Published
Mar 27, 2026 - 19:35 nvd
HIGH 8.2

DescriptionGitHub Advisory

act's built-in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it - including someone anywhere on the internet - to create caches with arbitrary keys and retrieve all existing caches. If one can predict which cache keys will be used by local actions, one can create malicious caches containing whatever files one pleases, most likely allowing arbitrary remote code execution within the Docker container.

Discovery

Discovered while discussing forgejo/runner#294.

Proposed Mitigation

It was discussed to append a secret to ACTIONS_CACHE_URL to retain compatibility with GitHub's cache action and still allow authorization. Forgejo is considering also encoding which repo is currently being run in CI into the secret in the URL to prevent unrelated repos using the same (probably global) runner from seeing each other's caches.

AnalysisAI

Unauthenticated remote cache poisoning in nektos/act (GitHub Actions local runner) enables arbitrary code execution by exposing the built-in actions/cache server on all network interfaces without authentication. Attackers who can reach the cache server-including from the public internet if exposed-can inject malicious cache entries with predictable keys, leading to remote code execution within Docker containers running GitHub Actions workflows. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor-released patch available in act v0.2.86.

Technical ContextAI

The nektos/act tool is a Go-based local runner for GitHub Actions workflows that includes a built-in cache server mimicking GitHub's actions/cache functionality. The vulnerability stems from CWE-862 (Missing Authorization), where the cache server binds to 0.0.0.0 (all network interfaces) without implementing authentication or access controls. The ACTIONS_CACHE_URL endpoint accepts cache creation and retrieval requests from any source that can establish a TCP connection. Because GitHub Actions workflows often use predictable cache keys based on dependency files or branch names, an attacker with network access can preemptively populate malicious caches. When a legitimate workflow retrieves what it believes to be a trusted cache, it executes attacker-controlled binaries or scripts within the Docker container context. The affected product is distributed as pkg:go/github.com_nektos_act, commonly used in CI/CD development and testing environments where developers run GitHub Actions locally.

RemediationAI

Upgrade to nektos/act version 0.2.86 or later, which implements authentication for the cache server by appending a secret token to ACTIONS_CACHE_URL to prevent unauthorized access while maintaining compatibility with GitHub's cache action. The fix is available via the GitHub advisory at https://github.com/nektos/act/security/advisories/GHSA-x34h-54cw-9825 and the patched commit at https://github.com/nektos/act/commit/c28c27e141e8b54f9853de82f421ee09846751f7. As an immediate workaround for organizations unable to upgrade, restrict network access to the act cache server port using firewall rules to ensure it only accepts connections from localhost (127.0.0.1), or run act within isolated network segments without internet exposure. Review Docker network configurations to confirm the cache server is not inadvertently exposed on public interfaces. Organizations running Forgejo runners should monitor https://code.forgejo.org/forgejo/runner/issues/294 for additional context on multi-tenant cache isolation improvements being considered upstream.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-34042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy