CVE-2026-34042 Overview
CVE-2026-34042 is a Missing Authorization vulnerability in act, a popular project that allows for local running of GitHub Actions workflows. Prior to version 0.2.86, act's built-in actions/cache server listens on all network interfaces (0.0.0.0) without proper access controls, exposing the cache service to any network-connected attacker. This misconfiguration allows unauthorized users to create caches with arbitrary keys and retrieve all existing cached data.
Critical Impact
Attackers with network access can manipulate cached data to inject malicious files, potentially leading to arbitrary remote code execution within the Docker container where GitHub Actions workflows are executed.
Affected Products
- act versions prior to 0.2.86
- Forgejo Runner (related affected component)
- GitHub Actions local development environments using vulnerable act versions
Discovery Timeline
- March 31, 2026 - CVE-2026-34042 published to NVD
- April 1, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34042
Vulnerability Analysis
The vulnerability stems from CWE-862 (Missing Authorization) in act's internal cache server implementation. The cache server, which emulates GitHub's actions/cache functionality for local workflow execution, binds to all network interfaces rather than restricting connections to localhost. This design flaw creates an authorization bypass where no authentication or access control mechanisms validate incoming cache requests.
An attacker who can establish a network connection to the cache server can perform two primary malicious operations: creating arbitrary cache entries with predictable keys and exfiltrating existing cache contents. Since GitHub Actions cache keys often follow predictable patterns based on workflow configurations, dependency lock files, and branch names, an attacker can preemptively poison cache entries before legitimate workflows request them.
The impact extends beyond data theft—when a workflow retrieves a poisoned cache containing malicious binaries or scripts, those files execute within the Docker container context, enabling arbitrary code execution within the containerized build environment.
Root Cause
The root cause is the cache server's network binding configuration listening on all interfaces (0.0.0.0) combined with a complete absence of authentication or authorization checks for cache operations. The server assumes all connections are trusted, which is only safe when binding exclusively to the loopback interface.
Attack Vector
The attack requires network-level access to the target machine running act. An attacker on the same network segment, or remotely if the host is internet-accessible without firewall protections, can directly connect to the cache server port. By predicting cache key patterns commonly used in GitHub Actions workflows (such as npm-cache-{{ hashFiles('package-lock.json') }} or go-mod-cache-{{ runner.os }}), the attacker can inject malicious cache entries. When legitimate workflows restore these poisoned caches, the malicious content executes within the action's runtime context.
The vulnerability mechanism involves the cache server accepting unauthenticated requests for cache creation and retrieval. Technical details and the security fix can be found in the GitHub Security Advisory and the commit that addresses this issue.
Detection Methods for CVE-2026-34042
Indicators of Compromise
- Unexpected network connections to the act cache server port from non-localhost sources
- Cache entries with keys that don't match expected workflow patterns
- Unusual cache retrieval activity from external IP addresses
- Modified or unexpected files appearing in workflow cache directories
Detection Strategies
- Monitor network traffic for connections to act's cache server port from external interfaces
- Implement network segmentation to detect unauthorized access attempts to development machines
- Review act process bindings using netstat or ss to verify localhost-only binding
- Audit cache contents for unexpected or suspicious files before workflow execution
Monitoring Recommendations
- Enable firewall rules to block external access to act's cache server port
- Implement network intrusion detection for anomalous traffic patterns to development hosts
- Log and alert on cache server connections from non-loopback addresses
- Monitor container filesystems for unexpected modifications during workflow execution
How to Mitigate CVE-2026-34042
Immediate Actions Required
- Upgrade act to version 0.2.86 or later immediately
- Verify no external network exposure exists for development machines running act
- Implement host-based firewall rules to restrict cache server access to localhost only
- Audit existing cached data for signs of tampering before using with updated versions
Patch Information
The vulnerability has been patched in act version 0.2.86. The fix modifies the cache server to bind exclusively to the loopback interface, preventing external network access. Users should update immediately via their package manager or by downloading the latest release from the official GitHub releases page. The specific fix can be reviewed in the GitHub commit.
Workarounds
- Configure host firewall to block all external access to act's cache server port
- Run act only on isolated networks without external connectivity
- Disable the built-in cache server functionality if not required for workflows
- Use network namespacing or containerization to isolate act's network interfaces
# Configuration example
# Block external access to act cache server (example using iptables)
# Replace PORT with the actual cache server port used by act
iptables -A INPUT -p tcp --dport PORT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport PORT -j DROP
# Alternatively, verify act is binding to localhost only
ss -tlnp | grep act
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
