CVE-2026-34042
Received Received - Intake
Unauthorized Cache Access in act Allows Remote Code Execution

Publication date: 2026-03-31

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and retrieve all existing caches. If they can predict which cache keys will be used by local actions, they can create malicious caches containing whatever files they please most likely allowing arbitrary remote code execution within the docker container. This issue has been patched in version 0.2.86.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nektos act to 0.2.86 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34042 is a high-severity vulnerability in the act project, which allows local running of GitHub actions. Prior to version 0.2.86, the built-in actions/cache server listens on all network interfaces without proper authorization, allowing anyone who can connect to it to create caches with arbitrary keys and retrieve all existing caches.

If an attacker can predict the cache keys used by local actions, they can create malicious caches containing arbitrary files. This can most likely lead to arbitrary remote code execution within the Docker container running the actions.

The vulnerability arises from missing authorization checks on the cache server, which exposes sensitive cache data and allows unauthorized cache manipulation.

Compliance Impact

The vulnerability allows unauthorized remote attackers to access and retrieve all existing caches, potentially exposing sensitive data stored within those caches. This unauthorized data access represents a high confidentiality impact, which could lead to non-compliance with data protection regulations such as GDPR and HIPAA that require strict controls over access to personal and sensitive information.

Additionally, the risk of arbitrary remote code execution within the Docker container could lead to further unauthorized actions on the system, potentially compromising data integrity and security controls mandated by these standards.

The patch introduced a secret token authorization mechanism to prevent unauthorized access, which helps restore compliance by enforcing access controls and protecting sensitive cached data.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to cached data and the potential for arbitrary remote code execution within the Docker container running the GitHub actions.

An attacker who can connect to the cache server can create or retrieve caches with arbitrary keys, potentially injecting malicious files that compromise the integrity and security of the environment.

Because the cache server listens on all interfaces without authorization, the attack can be performed remotely over the network, increasing the risk of exploitation.

The vulnerability has a high CVSS score of 8.2, indicating a high severity with network attack vector, low attack complexity, no privileges required, and a high confidentiality impact.

Detection Guidance

This vulnerability can be detected by checking if the act built-in actions/cache server is listening on all network interfaces without requiring an authorization token in the URL path.

One way to detect this is to scan for open ports on the system where act is running and attempt to access the cache API endpoints without an authorization token.

  • Use a network scanning tool like nmap to identify if the cache server port is open and listening on all interfaces.
  • Attempt to access the cache API endpoints (e.g., GET /_apis/artifactcache/cache) without a token to see if unauthorized access is possible.
  • Example command to scan open ports (replace <host> and <port> accordingly): nmap -p <port> <host>
  • Example curl command to test unauthorized access: curl -i http://<host>:<port>/_apis/artifactcache/cache

If the server responds without requiring a token or returns cache data, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the act tool to version 0.2.86 or later where the issue has been patched.

The patch introduces a cryptographically secure random authorization token that must be included in the URL path to access the artifact cache API, preventing unauthorized access.

Additionally, ensure that the cache server is not listening on all network interfaces but is bound to a specific, secure IP address.

  • Upgrade act to version 0.2.86 or newer.
  • Verify that the artifact cache HTTP handler uses the token-prefixed API path.
  • Restrict network exposure by binding the listener to a secure IP address rather than all interfaces.

If upgrading immediately is not possible, consider restricting network access to the cache server port using firewall rules to limit connections only to trusted hosts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart