CVE-2026-58053: Gitea act_runner Container Escape
| Field | Value |
|---|---|
| CVE ID | CVE-2026-58053 |
| CVSS score | 9.9 Critical |
| Attack vector | Workflow execution on a Docker-backed Gitea act_runner |
| Auth required | Yes. Attacker needs the ability to run or influence a workflow |
| Patch status | No first-party fixed version confirmed in the sources provided |
TL;DR -
container.optionscan pass dangerous Docker settings to job containers. - Docker-backed Giteaact_runnerdeployments with untrusted workflow authors are at highest risk. - Treat as urgent if users outside your core admin/dev team can run workflows.
What is CVE-2026-58053?
CVE-2026-58053 is a critical container hardening bypass affecting Gitea act_runner when it uses the Docker backend. According to the NVD description, the vulnerable behavior exists because a workflow’s container.options string is merged into the Docker job container HostConfig. Even when the runner is configured with privileged: false, only Docker’s Privileged flag is forcibly disabled, while other dangerous runtime options are still accepted.
That distinction matters operationally. Many teams assume privileged: false means a workflow container is reasonably constrained. In this case, it does not fully neutralize dangerous container runtime settings. The NVD description explicitly calls out examples such as --pid=host, --cap-add, and --security-opt. Those options can weaken or bypass isolation enough for a workflow-capable attacker to reach the runner host and obtain root-level access.
In plain terms, this is not just a “container misconfiguration” issue. It is a trust boundary failure in CI/CD execution. If your Gitea environment allows less-trusted users, contributors, or projects to run workflows on Docker-backed self-hosted runners, those users may be able to turn a normal job into host compromise. For defenders, the practical question is not whether the CVSS is high, but whether any untrusted workflow path exists today.
Affected Versions and Exposure Scope
The affected product is Gitea act_runner using the Docker backend. The NVD description states the vulnerable behavior exists “through act 0.262.0.” That is the most specific version information available in the supplied source material. It is important to be precise here: the research note does not establish a complete vendor-maintained affected version range for act_runner itself, and it does not provide a first-party advisory tying the CVE to a specific fixed runner release.
Because of that limitation, defenders should avoid overconfidence in version-based scoping. If you operate Gitea act_runner with Docker-backed job execution and you cannot verify from vendor documentation that your deployed runner build includes a fix for CVE-2026-58053, you should assume exposure. The absence of a confirmed fixed version in the available sources means asset owners need to validate runner version, embedded act version where possible, and execution backend before making patch compliance claims.
The risk is highest in environments with shared or multi-tenant runners, public or semi-public repositories, permissive pull request workflows, or any model where repository maintainers do not fully trust every workflow author. By contrast, tightly controlled internal-only runners dedicated to a single trusted team face lower exploitation likelihood, but still carry significant impact if credentials are stolen or a developer account is abused.
Why This Vulnerability is Dangerous
This issue enables a workflow author to influence the Docker runtime configuration of the job container more than defenders likely intend. Disabling privileged mode sounds protective, but the NVD description makes clear that it is insufficient here because the runner still merges other security-relevant Docker options into HostConfig. If an attacker can set host namespaces or broaden capabilities, they may escape normal container isolation assumptions.
The likely outcome is host-level compromise of the runner machine as root. In a CI/CD context, that can be far worse than compromising a single build job. Runner hosts often have network access to internal package registries, source code, cloud credentials, deployment tokens, and secrets caches. A compromised runner can become a pivot point into development, staging, or production systems, especially in smaller organizations where CI/CD infrastructure is under-segmented.
This also changes incident response priority. If you suspect exploit attempts, do not treat the event as a contained job-level incident. Assume the host may be compromised and any secrets accessible from that host may be exposed. That includes Gitea registration tokens, Docker credentials, SSH keys, cloud IAM material, and any artifacts processed during the runner’s lifetime.
Technical Notes
The NVD description identifies these example options as dangerous when passed through unchanged:
jobs:
build:
runs-on: self-hosted
container:
image: alpine:latest
options: --pid=host --cap-add=SYS_ADMIN --security-opt apparmor=unconfined
Why this is risky:
--pid=host -> shares host PID namespace
--cap-add=... -> grants additional Linux capabilities
--security-opt ... -> can weaken LSM confinement such as AppArmor or seccomp
Exploitation Status
A public proof of concept is known. The supplied references include a GitHub PoC repository: https://github.com/bikini/exploitarium/tree/main/gitea-act-runner-container-options-poc. That means defenders should assume exploit details are available to researchers and attackers, even if weaponization quality varies. Public exploit material significantly lowers the barrier to testing exposed environments.
At the same time, confirmed exploitation in the wild is not established from the provided sources. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog as of 2026-06-28, and the KEV lookup result is on_kev=false. That is useful context, but it should not be misread as low risk. KEV is a lagging indicator and self-hosted CI/CD infrastructure is often under-reported in public exploitation telemetry.
Operationally, the most accurate status is this:
| Signal | Status |
|---|---|
| Public PoC exists | Yes |
| Confirmed exploitation in the wild | Unknown / not established from provided sources |
| CISA KEV listed | No |
| Ransomware association | No evidence from provided sources |
In the absence of authoritative exploitation telemetry, defenders should assume opportunistic exploitation is plausible anywhere untrusted workflow execution is allowed. A critical CI/CD breakout with a public PoC is the kind of issue that gets tested quickly by red teams, bug hunters, and attackers scanning for weak self-hosted automation.
What Defenders Should Do Next
First, inventory every Gitea act_runner instance and identify which ones use the Docker backend. If you do not know the backend, treat that as a gap to close immediately. Mapping trust boundaries is just as important as version discovery here, because exploitability depends heavily on who can run or modify workflows targeting those runners.
Second, prioritize exposure based on workflow trust. Public-facing repositories, shared runners, and environments that execute pull-request or contributor-controlled code should move to the top of the response queue. If necessary, temporarily disable those runner assignments while investigating. That is a reasonable business decision for a host-root CI/CD breakout issue with a public PoC and no clearly verified fixed version in hand.
Third, prepare for the possibility that host compromise has already occurred anywhere suspicious workflow activity is found. Preserve runner logs, Docker events, container metadata, and host forensic artifacts before cleanup. Rotate secrets reachable from the runner, rebuild compromised hosts from clean images, and avoid returning the same machine to service without re-provisioning.
How to Detect Attempted Exploitation
Start by auditing workflow definitions in repositories that target self-hosted runners. Search for container.options usage and specifically for high-risk Docker flags such as --pid=host, --cap-add, and --security-opt. In many environments, this YAML review will be the fastest initial scoping method because the exploit path depends on user-controlled workflow configuration.
Second, inspect the runner host’s Docker activity. Because the vulnerable behavior results in Docker job containers being created with unsafe host configuration, Docker daemon events, container inspect output, and process execution history on the runner are high-value evidence sources. You are looking for containers launched by the runner with host namespace access, unusual capability additions, or weakened security profiles.
A third detection angle is host behavior. If a workflow job unexpectedly interacts with host processes, mounts sensitive paths, enumerates /proc broadly, or spawns shells outside expected build steps, escalate quickly. In this case, suspicious behavior on the host may be more reliable than application-layer alerts because CI/CD jobs often execute arbitrary code by design.
Technical Notes
Useful grep patterns for repository and workflow review:
grep -RInE 'container:|options:|--pid=host|--cap-add|--security-opt' /srv/gitea-repos/
grep -RInE 'runs-on:.*self-hosted' /srv/gitea-repos/
Docker log and event review on the runner host:
docker events --since 24h | grep -E 'create|start'
docker ps -aq | xargs -r docker inspect | grep -E '"PidMode":|"CapAdd":|"SecurityOpt":'
journalctl -u docker --since "24 hours ago" | grep -E 'pid=host|cap-add|security-opt'
Concrete detection query example for Docker inspect output:
docker ps -aq | while read c; do
docker inspect "$c" --format '{{.Id}} {{.HostConfig.PidMode}} {{.HostConfig.CapAdd}} {{.HostConfig.SecurityOpt}}'
done | grep -E ' host |
[.+]|\[[^]]*unconfined[^]]*'
Example suspicious indicators to hunt for:
"PidMode": "host"
"CapAdd": ["SYS_ADMIN"]
"SecurityOpt": ["apparmor=unconfined"]
"SecurityOpt": ["seccomp=unconfined"]
If you centralize telemetry, create alerts on runner hosts for Docker containers started with host PID namespace, added Linux capabilities beyond baseline, or unconfined AppArmor/seccomp profiles.
Mitigation and Patching Guidance
No first-party fixed version is confirmed in the provided sources, so do not claim remediation simply by pointing to a guessed release. The defensible position is: if you use Docker-backed Gitea act_runner and cannot verify from vendor documentation that your deployed version contains a fix for CVE-2026-58053, treat the system as vulnerable and mitigate immediately.
The strongest short-term mitigation is to remove untrusted code execution from Docker-backed runners. That may mean disabling self-hosted Actions for exposed repositories, separating trusted and untrusted projects onto different runner pools, or moving high-risk workflows off Docker-backed act_runner until vendor guidance is available. If your environment supports only trusted internal workflows, confirm that assumption and enforce it with repository permissions, branch protection, and runner scoping.
Runner isolation also matters. Place runners on disposable hosts or dedicated VMs rather than shared infrastructure. Assume a runner compromise can become a host compromise, and design the environment accordingly. Restrict outbound network access, minimize secrets on the host, rotate runner registration tokens, and avoid reusing the same runner for workloads with different trust levels.
Technical Notes
If you need to stop exposure quickly, disable or stop runner services on systems used by untrusted repos:
sudo systemctl stop act_runner
sudo systemctl disable act_runner
If you must keep runners online for trusted workloads only, segregate them and review configuration before restarting:
sudo systemctl status act_runner
sudo systemctl journalctl -u act_runner -n 200
Review workflow files and remove dangerous container options immediately:
grep -RInE 'options:\s*.*(--pid=host|--cap-add|--security-opt)' /srv/gitea-repos/
Example workaround by editing workflow YAML to remove unsafe options:
# vulnerable pattern
container:
image: alpine:latest
options: --pid=host --cap-add=SYS_ADMIN --security-opt apparmor=unconfined
# safer interim pattern
container:
image: alpine:latest
If your package or deployment method allows controlled upgrades, verify available runner releases first rather than assuming a fixed build:
act_runner --version
docker version
If you deploy the runner in a container, pin image updates only after validating vendor release notes:
docker ps --filter name=act_runner
docker inspect act_runner --format '{{.Config.Image}}'
Because the exact fixed version is unknown from the supplied sources, the safest workaround is operational: restrict who can run workflows, isolate runner hosts, and suspend Docker-backed runners for untrusted workloads until authoritative vendor patch guidance is confirmed.
References
- NVD record for CVE-2026-58053
- CISA KEV lookup result for CVE-2026-58053: not listed
- Public PoC:
https://github.com/bikini/exploitarium/tree/main/gitea-act-runner-container-options-poc - Third-party advisory:
https://www.vulncheck.com/advisories/gitea-act-runner-container-hardening-bypass-via-workflow-container-options - Gitea runner releases:
https://gitea.com/gitea/runner/releases - Gitea
act_runnerdocumentation:https://docs.gitea.com/usage/actions/act-runner
For additional context on security practices, you may refer to our articles on Insecure Direct Object Reference and SQL Injection.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.