CVE-2026-34042: RCE — Patch Guide

Overview

A critical security vulnerability, tracked as CVE-2026-34042, has been identified in the Act command-line tool. Act is used to run GitHub Actions workflows locally for testing. Versions prior to 0.2.86 contain a flaw in the built-in cache server that could be exploited for remote code execution.

Vulnerability Details

In affected versions, the tool’s internal actions/cache server binds to all network interfaces (0.0.0.0) by default instead of only the local machine (127.0.0.1). This misconfiguration makes the cache server accessible to anyone on the same network, or potentially the internet if the host firewall is misconfigured. The server does not require any authentication.

An attacker who can connect to this exposed server can perform two key actions: retrieve all existing cache entries, potentially exfiltrating sensitive build artifacts, and create new cache entries with arbitrary keys. By predicting or discovering the cache keys a local workflow will use, the attacker can upload a malicious cache containing poisoned files. When the Act workflow runs, it will retrieve and use these attacker-controlled files, most likely leading to arbitrary code execution within the Docker container running the workflow.

Impact

The impact of successful exploitation is severe. Attackers could achieve remote code execution within the isolated environment where Act runs workflows. This could lead to:

• Compromise of the host system from the container.
• Theft of sensitive secrets, code, or artifacts used in the CI/CD pipeline.
• Sabotage of build processes by injecting malicious code into software deliverables.

The attack requires some user interaction-a developer must be running an Act workflow that uses caching-but the barrier to initial access is low due to the lack of authentication on the exposed service.

Remediation and Mitigation

The primary and immediate remediation is to update the Act tool.

1. Patch Immediately: Upgrade Act to version 0.2.86 or later. This version patches the vulnerability by binding the cache server exclusively to the localhost interface. Update using your package manager (e.g., brew upgrade act, choco upgrade act) or by downloading the latest release from the official GitHub repository.

2. Immediate Mitigation for Unpatched Versions: If you cannot update immediately, you must ensure the host running Act has a firewall blocking inbound connections on port 11211 (the default Memcached port used by the cache server). Verify the service is not exposed by checking netstat -tulpn for listeners on 0.0.0.0:11211.

3. Best Practice: Always run development tools like Act in a trusted network environment and avoid running them on machines with unrestricted internet access.

Security Insight

This vulnerability underscores the persistent risk of developer tools inadvertently creating network-exposed attack surfaces, a theme seen in incidents like the GlassWorm attack force-pushing malware via stolen GitHub tokens. While that attack targeted the software supply chain post-commit, CVE-2026-34042 targets the pre-commit development environment, demonstrating that the entire CI/CD pipeline-from local testing to public repositories-is under active scrutiny by threat actors.

Further Reading

• GlassWorm Attack Force-Pushes Malware Into Python Repos via Stolen GitHub Tokens
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs