{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/act/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-34042"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["act","cache-poisoning","rce","github-actions","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eact\u003c/code\u003e project, designed for local execution of GitHub Actions workflows, contains a critical vulnerability affecting versions prior to 0.2.86. The built-in actions/cache server, intended for local caching, inadvertently listens for connections on all network interfaces. This exposure allows any attacker capable of reaching the server, including those on the internet, to create caches with arbitrary keys and retrieve existing cache data. By predicting the cache keys used by local actions, an attacker can inject malicious content into the cache, paving the way for arbitrary remote code execution within the Docker container used by \u003ccode\u003eact\u003c/code\u003e. This vulnerability was addressed in version 0.2.86 of \u003ccode\u003eact\u003c/code\u003e. The CVSS v3.1 base score is 8.2, indicating a high severity threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable \u003ccode\u003eact\u003c/code\u003e instance running a version prior to 0.2.86 with its cache server exposed on all interfaces.\u003c/li\u003e\n\u003cli\u003eThe attacker probes the exposed \u003ccode\u003eact\u003c/code\u003e cache server to determine accessible endpoints and version information.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes common GitHub Actions workflows and identifies predictable cache keys.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious cache archive containing payloads designed for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious cache archive to the vulnerable \u003ccode\u003eact\u003c/code\u003e instance using the predicted cache key.\u003c/li\u003e\n\u003cli\u003eA legitimate user triggers a local GitHub Actions workflow using \u003ccode\u003eact\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eact\u003c/code\u003e instance retrieves the attacker\u0026rsquo;s malicious cache archive instead of the expected legitimate cache.\u003c/li\u003e\n\u003cli\u003eThe malicious payload within the cache is executed within the Docker container, leading to remote code execution on the host system running \u003ccode\u003eact\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve arbitrary remote code execution on the host system running the vulnerable version of \u003ccode\u003eact\u003c/code\u003e. This can lead to complete system compromise, data theft, and further lateral movement within the network. The vulnerability affects any user running a version of \u003ccode\u003eact\u003c/code\u003e prior to 0.2.86 with the cache server exposed. While the number of directly affected users is unknown, the potential impact on development environments and CI/CD pipelines is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to version 0.2.86 or later of the \u003ccode\u003eact\u003c/code\u003e project to remediate the vulnerability (CVE-2026-34042).\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the \u003ccode\u003eact\u003c/code\u003e cache server to only trusted networks and hosts.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the \u003ccode\u003eact\u003c/code\u003e cache server for unexpected or unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring on systems running \u003ccode\u003eact\u003c/code\u003e to detect potentially malicious processes spawned from Docker containers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T03:15:58Z","date_published":"2026-03-31T03:15:58Z","id":"/briefs/2024-02-29-act-cache-rce/","summary":"A vulnerability in versions prior to 0.2.86 of the act project allows remote attackers to create arbitrary caches, potentially leading to remote code execution within Docker containers by poisoning predicted cache keys.","title":"act Project Cache Poisoning Vulnerability Leads to Potential RCE","url":"https://feed.craftedsignal.io/briefs/2024-02-29-act-cache-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Act","version":"https://jsonfeed.org/version/1.1"}