CVE-2026-34042
act: actions/cache server allows malicious cache injection
CVSS Score
8.2
EPSS Score
0.1%
EPSS Percentile
16th
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and retrieve all existing caches. If they can predict which cache keys will be used by local actions, they can create malicious caches containing whatever files they please most likely allowing arbitrary remote code execution within the docker container. This issue has been patched in version 0.2.86.
| CWE | CWE-862 |
| Vendor | nektos |
| Product | act |
| Published | Mar 31, 2026 |
| Last Updated | Mar 31, 2026 |
Stay Ahead of the Next One
Get instant alerts for nektos act
Be the first to know when new high vulnerabilities affecting nektos act are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
nektos / act
< 0.2.86
References
github.com: https://github.com/nektos/act/security/advisories/GHSA-x34h-54cw-9825 github.com: https://github.com/nektos/act/commit/c28c27e141e8b54f9853de82f421ee09846751f7 code.forgejo.org: https://code.forgejo.org/forgejo/runner/issues/294 github.com: https://github.com/nektos/act/releases/tag/v0.2.86