The vulnerability identified as CVE-2026-34042 affects the nektos act project, a tool that enables local execution of GitHub Actions workflows. Prior to version 0.2.86, the built-in actions/cache server component of act listens on all network interfaces without enforcing authorization, thereby exposing it to remote unauthenticated access. This cache server allows clients to create caches with arbitrary keys and retrieve any existing caches. Because cache keys used by local actions can be predicted, an attacker who can connect to the cache server can pre-populate caches with malicious files. When the local GitHub Actions workflow subsequently uses these caches, it may execute attacker-controlled code within the Docker container environment. This leads to arbitrary remote code execution, compromising the confidentiality and integrity of the host system and potentially allowing lateral movement or further exploitation. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3.1 score of 8.2, reflecting its high severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R) in the sense that the user must run act locally. The scope is changed (S:C) because the vulnerability affects resources beyond the vulnerable component. The vulnerability has been patched in version 0.2.86 by restricting the cache server's listening interfaces and enforcing proper authorization. No known exploits have been reported in the wild yet, but the potential impact is significant given the ease of exploitation and the critical nature of arbitrary code execution.

The impact of CVE-2026-34042 is substantial for organizations using nektos act to run GitHub Actions locally, especially in development, testing, or CI/CD environments. An attacker able to connect to the exposed cache server can inject malicious cache entries, leading to arbitrary code execution within Docker containers. This compromises the confidentiality and integrity of the affected systems, potentially allowing attackers to execute arbitrary commands, steal sensitive data, or pivot to other internal resources. Since the cache server listens on all interfaces by default, any network-exposed instance is vulnerable, increasing the attack surface. This can lead to supply chain risks if malicious code is introduced into build or deployment pipelines. The vulnerability does not directly affect production GitHub Actions environments but impacts local development workflows, which can indirectly affect production if compromised artifacts or code are promoted. The lack of authentication and the ability to predict cache keys make exploitation straightforward for remote attackers. Organizations with lax network segmentation or exposed developer machines are at higher risk. The vulnerability could also facilitate lateral movement within internal networks if exploited by an insider or malware.

To mitigate CVE-2026-34042, organizations should immediately upgrade nektos act to version 0.2.86 or later, where the vulnerability is patched. Until upgrading, restrict network access to the cache server by configuring firewall rules or network policies to allow connections only from trusted hosts, such as the local machine or specific developer workstations. Disable or avoid exposing the cache server on public or untrusted networks. Implement network segmentation to isolate developer environments running act from broader corporate networks. Monitor network traffic for unusual connections to the cache server port. Educate developers about the risks of running vulnerable versions of act and encourage best practices such as running local workflows in isolated environments. Consider using container runtime security tools to detect anomalous behavior within Docker containers spawned by act. Regularly audit and verify cache contents to detect unauthorized or unexpected files. Finally, review and apply principle of least privilege to local development environments to limit potential damage from exploitation.