CVE-2026-34042

act: The CVE-2026-34042 flaw in the act project’s actions/cache server lets connections from any interface create caches with arbitrary keys and read existing caches, potentially enabling arbitrary remote code execution inside the local Docker container. The issue stems from listening on all inte...

GHSA-X34H-54CW-9825 act: actions/cache server allows malicious cache injection

act's built-in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it — including someone anywhere on the internet — to create caches with arbitrary keys and retrieve all existing caches. If one can predict which cache keys will be used by local...

act: actions/cache server allows malicious cache injection

act's built-in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it — including someone anywhere on the internet — to create caches with arbitrary keys and retrieve all existing caches. If one can predict which cache keys will be used by local...

PT-2026-28595

Name of the Vulnerable Software and Affected Versions act versions prior to 0.2.86 Description act, a project for running GitHub Actions locally, has an issue where the built-in actions/cache server listens on all interfaces, potentially allowing unauthorized access from the internet. This allows...