Container Hardening Bypass in Gitea's act_runner Docker Integration
CVE-2026-58053
Key Information:
- Vendor
Gitea
- Status
- Vendor
- CVE Published:
- 28 June 2026
Badges
What is CVE-2026-58053?
The Gitea act_runner component, specifically when utilized with the Docker backend through act version 0.262.0, is susceptible to a container hardening bypass. This vulnerability arises due to the manner in which the runner processes the container.options string within a workflow. Although the setup can enforce 'privileged: false', it inadequately restricts other host capabilities and settings, allowing users with workflow execution permissions to create job containers that access host namespaces and inherit extensive capabilities. Consequently, this could enable attackers to escape the container environment and gain unauthorized root access to the host system.
Affected Version(s)
act_runner 0 <= 0.262.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
