CVE 9.9 CRITICAL

Gitea act_runner – Container Hardening Bypass via Workflow Container Options_CVE-2026-58053

June 27, 2026 invoker category_cve

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-opt unchanged. A user who can run a workflow on a Docker-backed runner can create a job container with host namespaces and broad capabilities and escape to the host as root despite privileged mode being disabled.

AI Analysis

Container Hardening Bypass via Workflow Container Options in Gitea act_runner

Basic Information

ID CVE-2026-58053

Source VulnCheck

Published Jun 28, 2026 at 01:32

Affected Product

Vendor Gitea

Product act_runner

Affected Versions Gitea act_runner 0

CWE Classification

CWE-269

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor Gitea

Product act_runner

References

{
    "lastseen": "",
    "description": "Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-opt unchanged. A user who can run a workflow on a Docker-backed runner can create a job container with host namespaces and broad capabilities and escape to the host as root despite privileged mode being disabled.",
    "published": "2026-06-28T01:32:55.648Z",
    "modified": "2026-06-28T01:32:55.648Z",
    "type": "cve",
    "title": "Gitea act_runner - Container Hardening Bypass via Workflow Container Options",
    "source": "VulnCheck",
    "references": "https://github.com/bikini/exploitarium/tree/main/gitea-act-runner-container-options-poc\nhttps://www.vulncheck.com/advisories/gitea-act-runner-container-hardening-bypass-via-workflow-container-options",
    "id": "CVE-2026-58053",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "Gitea act_runner 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "act_runner",
    "version": "0",
    "vendor": "Gitea",
    "ai_description": "Container Hardening Bypass via Workflow Container Options in Gitea act_runner",
    "ai_severity": "Critical",
    "ai_vendor": "Gitea",
    "ai_product": "act_runner",
    "ai_version": "0",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply