CVE-2026-34042
Unauthorized Cache Access in act Allows Remote Code Execution
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nektos | act | to 0.2.86 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34042 is a high-severity vulnerability in the act project, which allows local running of GitHub actions. Prior to version 0.2.86, the built-in actions/cache server listens on all network interfaces without proper authorization, allowing anyone who can connect to it to create caches with arbitrary keys and retrieve all existing caches.
If an attacker can predict the cache keys used by local actions, they can create malicious caches containing arbitrary files. This can most likely lead to arbitrary remote code execution within the Docker container running the actions.
The vulnerability arises from missing authorization checks on the cache server, which exposes sensitive cache data and allows unauthorized cache manipulation.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to cached data and the potential for arbitrary remote code execution within the Docker container running the GitHub actions.
An attacker who can connect to the cache server can create or retrieve caches with arbitrary keys, potentially injecting malicious files that compromise the integrity and security of the environment.
Because the cache server listens on all interfaces without authorization, the attack can be performed remotely over the network, increasing the risk of exploitation.
The vulnerability has a high CVSS score of 8.2, indicating a high severity with network attack vector, low attack complexity, no privileges required, and a high confidentiality impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the act built-in actions/cache server is listening on all network interfaces without requiring an authorization token in the URL path.
One way to detect this is to scan for open ports on the system where act is running and attempt to access the cache API endpoints without an authorization token.
- Use a network scanning tool like nmap to identify if the cache server port is open and listening on all interfaces.
- Attempt to access the cache API endpoints (e.g., GET /_apis/artifactcache/cache) without a token to see if unauthorized access is possible.
- Example command to scan open ports (replace <host> and <port> accordingly): nmap -p <port> <host>
- Example curl command to test unauthorized access: curl -i http://<host>:<port>/_apis/artifactcache/cache
If the server responds without requiring a token or returns cache data, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the act tool to version 0.2.86 or later where the issue has been patched.
The patch introduces a cryptographically secure random authorization token that must be included in the URL path to access the artifact cache API, preventing unauthorized access.
Additionally, ensure that the cache server is not listening on all network interfaces but is bound to a specific, secure IP address.
- Upgrade act to version 0.2.86 or newer.
- Verify that the artifact cache HTTP handler uses the token-prefixed API path.
- Restrict network exposure by binding the listener to a secure IP address rather than all interfaces.
If upgrading immediately is not possible, consider restricting network access to the cache server port using firewall rules to limit connections only to trusted hosts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized remote attackers to access and retrieve all existing caches, potentially exposing sensitive data stored within those caches. This unauthorized data access represents a high confidentiality impact, which could lead to non-compliance with data protection regulations such as GDPR and HIPAA that require strict controls over access to personal and sensitive information.
Additionally, the risk of arbitrary remote code execution within the Docker container could lead to further unauthorized actions on the system, potentially compromising data integrity and security controls mandated by these standards.
The patch introduced a secret token authorization mechanism to prevent unauthorized access, which helps restore compliance by enforcing access controls and protecting sensitive cached data.