CVE-2026-34042
Published: 31 March 2026
Summary
CVE-2026-34042 is a high-severity Missing Authorization (CWE-862) vulnerability in Forgejo (inferred from references). Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-34042 affects the "act" project, an open-source tool for running GitHub Actions locally. In versions prior to 0.2.86, the built-in actions/cache server listens for connections on all network interfaces, exposing it to unauthorized access. This misconfiguration (related to CWE-862: Missing Authorization) enables remote parties to create caches with arbitrary keys and retrieve all existing caches without authentication.
A remote attacker with network access to the vulnerable act instance can exploit this by connecting to the cache server, even from the internet. By predicting cache keys used by local GitHub Actions workflows, the attacker can upload malicious cache files. When act's local actions subsequently use these poisoned caches, it can lead to arbitrary remote code execution within the Docker container running the actions, as indicated by the CVSS 3.1 score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), which requires some user interaction such as triggering the affected workflow.
The vulnerability has been patched in act version 0.2.86, as detailed in the project's GitHub security advisory (GHSA-x34h-54cw-9825), the patching commit (c28c27e141e8b54f9853de82f421ee09846751f7), and the release notes. Security practitioners should upgrade to v0.2.86 or later and review Forgejo runner issue #294 for additional context on related discussions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17286
Vulnerability details
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the…
more
internet to create caches with arbitrary keys and retrieve all existing caches. If they can predict which cache keys will be used by local actions, they can create malicious caches containing whatever files they please most likely allowing arbitrary remote code execution within the docker container. This issue has been patched in version 0.2.86.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes an unauthenticated cache server on all interfaces (CWE-862), directly enabling remote exploitation for cache poisoning and subsequent RCE, mapping to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Establishes and enforces secure configuration settings for the act cache server to bind only to localhost, directly preventing exposure to remote unauthorized access.
Restricts the act tool to least functionality by prohibiting or limiting the network-listening capability of the built-in cache server, eliminating unnecessary exposure.
Implements boundary protection such as host-based firewalls to block unauthorized network access to the act cache server port, mitigating remote exploitation even if misconfigured.