CVE-2026-34042
HIGH
GHSA-x34h-54cw-9825
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
3Description
act's built-in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it - including someone anywhere on the internet - to create caches with arbitrary keys and retrieve all existing caches. If one can predict which cache keys will be used by local actions, one can create malicious caches containing whatever files one pleases, most likely allowing arbitrary remote code execution within the Docker container. ## Discovery Discovered while discussing [forgejo/runner#294](https://code.forgejo.org/forgejo/runner/issues/294). ## Proposed Mitigation It was discussed to append a secret to `ACTIONS_CACHE_URL` to retain compatibility with GitHub's cache action and still allow authorization. Forgejo is considering also encoding which repo is currently being run in CI into the secret in the URL to prevent unrelated repos using the same (probably global) runner from seeing each other's caches.
Analysis
Unauthenticated remote cache poisoning in nektos/act (GitHub Actions local runner) enables arbitrary code execution by exposing the built-in actions/cache server on all network interfaces without authentication. Attackers who can reach the cache server-including from the public internet if exposed-can inject malicious cache entries with predictable keys, leading to remote code execution within Docker containers running GitHub Actions workflows. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running nektos/act and document network exposure of port 5289 (default cache server). Within 7 days: Upgrade all instances to act v0.2.86 or later; if upgrade is blocked, isolate the cache server to localhost-only binding or restrict network access via firewall rules to trusted hosts only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today