CVE-2026-34042

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-34042
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34042.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34042
Aliases
Downstream
Related
Published
2026-03-31T01:46:15.747Z
Modified
2026-04-08T08:00:17.542216Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
Summary
act: actions/cache server allows malicious cache injection
Details

act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and retrieve all existing caches. If they can predict which cache keys will be used by local actions, they can create malicious caches containing whatever files they please most likely allowing arbitrary remote code execution within the docker container. This issue has been patched in version 0.2.86.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34042.json",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/nektos/act

Affected ranges

Type
GIT
Repo
https://github.com/nektos/act
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e71313c826e8636eac974ba709dd60e02eef41bd
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.2.86"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.15
v0.2.16
v0.2.17
v0.2.18
v0.2.19
v0.2.2
v0.2.20
v0.2.21
v0.2.22
v0.2.23
v0.2.24
v0.2.25
v0.2.26
v0.2.27
v0.2.28
v0.2.29
v0.2.3
v0.2.30
v0.2.31
v0.2.32
v0.2.33
v0.2.34
v0.2.35
v0.2.36
v0.2.37
v0.2.38
v0.2.39
v0.2.4
v0.2.40
v0.2.41
v0.2.42
v0.2.43
v0.2.44
v0.2.45
v0.2.46
v0.2.47
v0.2.48
v0.2.49
v0.2.5
v0.2.50
v0.2.51
v0.2.52
v0.2.53
v0.2.54
v0.2.55
v0.2.56
v0.2.57
v0.2.58
v0.2.59
v0.2.6
v0.2.60
v0.2.61
v0.2.62
v0.2.63
v0.2.64
v0.2.65
v0.2.66
v0.2.67
v0.2.68
v0.2.69
v0.2.7
v0.2.70
v0.2.71
v0.2.72
v0.2.73
v0.2.74
v0.2.75
v0.2.76
v0.2.77
v0.2.78
v0.2.79
v0.2.8
v0.2.80
v0.2.81
v0.2.82
v0.2.83
v0.2.84
v0.2.85
v0.2.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34042.json"