Platform
go
Component
github.com/nektos/act
Fixed in
0.2.87
0.2.86
CVE-2026-34042 describes a remote code execution (RCE) vulnerability affecting the act project, which enables local execution of GitHub Actions. The vulnerability arises from the built-in actions/cache server listening on all interfaces, allowing unauthorized cache creation and retrieval, potentially leading to arbitrary code execution within the Docker container. This impacts versions less than or equal to 0.2.86. Version 0.2.86 addresses this security issue.
CVE-2026-34042 affects users of Docker containers utilizing the nektos/act action within their GitHub Actions workflows. The vulnerability lies within the act actions/cache server, specifically allowing for malicious cache injection. An attacker controlling a repository with access to a shared cache (e.g., a team or organization cache) can inject crafted cache entries. These entries, when retrieved by other workflows using the same cache, can execute arbitrary code within the workflow's execution environment. This is particularly concerning as GitHub Actions workflows often have elevated privileges to deploy applications, manage infrastructure, or access sensitive data. A successful injection could lead to unauthorized access to cloud resources, data exfiltration, or even complete compromise of the affected repository and its associated systems. The blast radius extends to all workflows sharing the poisoned cache, potentially impacting multiple projects and teams within an organization. The severity is heightened by the potential for supply chain attacks, where malicious code is introduced through compromised dependencies or actions, silently propagating across numerous deployments.
As of the current assessment, there are no publicly available exploitation reports or proof-of-concept (POC) code for CVE-2026-34042. However, the vulnerability's potential impact and the ease of cache injection make it a high-priority concern. While no active exploitation has been observed, the lack of public exploits does not diminish the risk. Attackers may be actively developing exploits in private, and the absence of public information does not guarantee safety. Given the potential for severe consequences, organizations should prioritize patching or implementing the recommended workarounds to mitigate the risk. The absence of public exploits currently lowers the urgency, but proactive mitigation is strongly advised to prevent future exploitation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
To address CVE-2026-34042, immediately upgrade the nektos/act action to version 0.2.86 or later. This patched version includes safeguards against malicious cache injection. If upgrading is not immediately feasible, a temporary workaround is to isolate caches per repository. This prevents shared caches from being exploited across multiple projects. Ensure that your GitHub Actions workflows are configured to use unique cache keys for each repository to minimize the potential impact. After applying the upgrade or workaround, verify the integrity of your cache by reviewing recent cache entries for any unexpected or suspicious files. Regularly audit your GitHub Actions workflows and dependencies to identify and mitigate potential vulnerabilities. Consider implementing stricter access controls for your GitHub repositories and caches to limit the potential for unauthorized modification.
Update act to version 0.2.86 or higher. This version fixes the vulnerability that allows for malicious cache injection. The update will prevent remote attackers from creating malicious caches and executing arbitrary code within Docker containers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34042 is a vulnerability in the act actions/cache server that allows malicious cache injection, potentially leading to arbitrary code execution within GitHub Actions workflows.
You are affected if you are using the nektos/act action in your GitHub Actions workflows and are running a version prior to 0.2.86.
Upgrade the nektos/act action to version 0.2.86 or later to resolve this vulnerability.
Currently, there are no publicly available exploitation reports or proof-of-concept code for CVE-2026-34042.
Refer to the National Vulnerability Database (NVD) entry at [https://nvd.nist.gov/vuln/detail/CVE-2026-34042](https://nvd.nist.gov/vuln/detail/CVE-2026-34042) and the vendor advisory for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.