Plattform
go
Komponente
github.com/nektos/act
Behoben in
0.2.87
0.2.86
CVE-2026-34042 describes a remote code execution (RCE) vulnerability affecting the act project, which enables local execution of GitHub Actions. The vulnerability arises from the built-in actions/cache server listening on all interfaces, allowing unauthorized cache creation and retrieval, potentially leading to arbitrary code execution within the Docker container. This impacts versions less than or equal to 0.2.86. Version 0.2.86 addresses this security issue.
CVE-2026-34042 affects users of Docker containers utilizing the nektos/act action within their GitHub Actions workflows. The vulnerability lies within the act actions/cache server, specifically allowing for malicious cache injection. An attacker controlling a repository with access to a shared cache (e.g., a team or organization cache) can inject crafted cache entries. These entries, when retrieved by other workflows using the same cache, can execute arbitrary code within the workflow's execution environment. This is particularly concerning as GitHub Actions workflows often have elevated privileges to deploy applications, manage infrastructure, or access sensitive data. A successful injection could lead to unauthorized access to cloud resources, data exfiltration, or even complete compromise of the affected repository and its associated systems. The blast radius extends to all workflows sharing the poisoned cache, potentially impacting multiple projects and teams within an organization. The severity is heightened by the potential for supply chain attacks, where malicious code is introduced through compromised dependencies or actions, silently propagating across numerous deployments.
As of the current assessment, there are no publicly available exploitation reports or proof-of-concept (POC) code for CVE-2026-34042. However, the vulnerability's potential impact and the ease of cache injection make it a high-priority concern. While no active exploitation has been observed, the lack of public exploits does not diminish the risk. Attackers may be actively developing exploits in private, and the absence of public information does not guarantee safety. Given the potential for severe consequences, organizations should prioritize patching or implementing the recommended workarounds to mitigate the risk. The absence of public exploits currently lowers the urgency, but proactive mitigation is strongly advised to prevent future exploitation.
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
To address CVE-2026-34042, immediately upgrade the nektos/act action to version 0.2.86 or later. This patched version includes safeguards against malicious cache injection. If upgrading is not immediately feasible, a temporary workaround is to isolate caches per repository. This prevents shared caches from being exploited across multiple projects. Ensure that your GitHub Actions workflows are configured to use unique cache keys for each repository to minimize the potential impact. After applying the upgrade or workaround, verify the integrity of your cache by reviewing recent cache entries for any unexpected or suspicious files. Regularly audit your GitHub Actions workflows and dependencies to identify and mitigate potential vulnerabilities. Consider implementing stricter access controls for your GitHub repositories and caches to limit the potential for unauthorized modification.
Actualice act a la versión 0.2.86 o superior. Esta versión corrige la vulnerabilidad que permite la inyección de caché maliciosa. La actualización evitará que atacantes remotos creen cachés maliciosas y ejecuten código arbitrario dentro de los contenedores Docker.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34042 is a vulnerability in the act actions/cache server that allows malicious cache injection, potentially leading to arbitrary code execution within GitHub Actions workflows.
You are affected if you are using the nektos/act action in your GitHub Actions workflows and are running a version prior to 0.2.86.
Upgrade the nektos/act action to version 0.2.86 or later to resolve this vulnerability.
Currently, there are no publicly available exploitation reports or proof-of-concept code for CVE-2026-34042.
Refer to the National Vulnerability Database (NVD) entry at [https://nvd.nist.gov/vuln/detail/CVE-2026-34042](https://nvd.nist.gov/vuln/detail/CVE-2026-34042) and the vendor advisory for more information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.