CVE-2026-34042: act: actions/cache server allows malicious cache injection
(updated )
act’s built-in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it — including someone anywhere on the internet — to create caches with arbitrary keys and retrieve all existing caches. If one can predict which cache keys will be used by local actions, one can create malicious caches containing whatever files one pleases, most likely allowing arbitrary remote code execution within the Docker container.
References
- code.forgejo.org/forgejo/runner/issues/294
- github.com/advisories/GHSA-x34h-54cw-9825
- github.com/nektos/act
- github.com/nektos/act/commit/c28c27e141e8b54f9853de82f421ee09846751f7
- github.com/nektos/act/releases/tag/v0.2.86
- github.com/nektos/act/security/advisories/GHSA-x34h-54cw-9825
- nvd.nist.gov/vuln/detail/CVE-2026-34042
Code Behaviors & Features
Detect and mitigate CVE-2026-34042 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →