eastbaycyber

CVE-2026-58053: Gitea act_runner Container Escape

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-28
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-58053
CVSS score 9.9 Critical
Attack vector Workflow execution on a Docker-backed Gitea act_runner
Auth required Yes. Attacker needs the ability to run or influence a workflow
Patch status No first-party fixed version confirmed in the sources provided

TL;DR - container.options can pass dangerous Docker settings to job containers. - Docker-backed Gitea act_runner deployments with untrusted workflow authors are at highest risk. - Treat as urgent if users outside your core admin/dev team can run workflows.

What is CVE-2026-58053?

CVE-2026-58053 is a critical container hardening bypass affecting Gitea act_runner when it uses the Docker backend. According to the NVD description, the vulnerable behavior exists because a workflow’s container.options string is merged into the Docker job container HostConfig. Even when the runner is configured with privileged: false, only Docker’s Privileged flag is forcibly disabled, while other dangerous runtime options are still accepted.

That distinction matters operationally. Many teams assume privileged: false means a workflow container is reasonably constrained. In this case, it does not fully neutralize dangerous container runtime settings. The NVD description explicitly calls out examples such as --pid=host, --cap-add, and --security-opt. Those options can weaken or bypass isolation enough for a workflow-capable attacker to reach the runner host and obtain root-level access.

In plain terms, this is not just a “container misconfiguration” issue. It is a trust boundary failure in CI/CD execution. If your Gitea environment allows less-trusted users, contributors, or projects to run workflows on Docker-backed self-hosted runners, those users may be able to turn a normal job into host compromise. For defenders, the practical question is not whether the CVSS is high, but whether any untrusted workflow path exists today.

AnalystImpact · assess the risk

Affected Versions and Exposure Scope

The affected product is Gitea act_runner using the Docker backend. The NVD description states the vulnerable behavior exists “through act 0.262.0.” That is the most specific version information available in the supplied source material. It is important to be precise here: the research note does not establish a complete vendor-maintained affected version range for act_runner itself, and it does not provide a first-party advisory tying the CVE to a specific fixed runner release.

Because of that limitation, defenders should avoid overconfidence in version-based scoping. If you operate Gitea act_runner with Docker-backed job execution and you cannot verify from vendor documentation that your deployed runner build includes a fix for CVE-2026-58053, you should assume exposure. The absence of a confirmed fixed version in the available sources means asset owners need to validate runner version, embedded act version where possible, and execution backend before making patch compliance claims.

The risk is highest in environments with shared or multi-tenant runners, public or semi-public repositories, permissive pull request workflows, or any model where repository maintainers do not fully trust every workflow author. By contrast, tightly controlled internal-only runners dedicated to a single trusted team face lower exploitation likelihood, but still carry significant impact if credentials are stolen or a developer account is abused.

Why This Vulnerability is Dangerous

This issue enables a workflow author to influence the Docker runtime configuration of the job container more than defenders likely intend. Disabling privileged mode sounds protective, but the NVD description makes clear that it is insufficient here because the runner still merges other security-relevant Docker options into HostConfig. If an attacker can set host namespaces or broaden capabilities, they may escape normal container isolation assumptions.

The likely outcome is host-level compromise of the runner machine as root. In a CI/CD context, that can be far worse than compromising a single build job. Runner hosts often have network access to internal package registries, source code, cloud credentials, deployment tokens, and secrets caches. A compromised runner can become a pivot point into development, staging, or production systems, especially in smaller organizations where CI/CD infrastructure is under-segmented.

This also changes incident response priority. If you suspect exploit attempts, do not treat the event as a contained job-level incident. Assume the host may be compromised and any secrets accessible from that host may be exposed. That includes Gitea registration tokens, Docker credentials, SSH keys, cloud IAM material, and any artifacts processed during the runner’s lifetime.

Technical Notes

The NVD description identifies these example options as dangerous when passed through unchanged:

jobs:
  build:
    runs-on: self-hosted
    container:
      image: alpine:latest
      options: --pid=host --cap-add=SYS_ADMIN --security-opt apparmor=unconfined

Why this is risky:

--pid=host         -> shares host PID namespace
--cap-add=...      -> grants additional Linux capabilities
--security-opt ... -> can weaken LSM confinement such as AppArmor or seccomp

Exploitation Status

A public proof of concept is known. The supplied references include a GitHub PoC repository: https://github.com/bikini/exploitarium/tree/main/gitea-act-runner-container-options-poc. That means defenders should assume exploit details are available to researchers and attackers, even if weaponization quality varies. Public exploit material significantly lowers the barrier to testing exposed environments.

At the same time, confirmed exploitation in the wild is not established from the provided sources. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog as of 2026-06-28, and the KEV lookup result is on_kev=false. That is useful context, but it should not be misread as low risk. KEV is a lagging indicator and self-hosted CI/CD infrastructure is often under-reported in public exploitation telemetry.

Operationally, the most accurate status is this:

Signal Status
Public PoC exists Yes
Confirmed exploitation in the wild Unknown / not established from provided sources
CISA KEV listed No
Ransomware association No evidence from provided sources

In the absence of authoritative exploitation telemetry, defenders should assume opportunistic exploitation is plausible anywhere untrusted workflow execution is allowed. A critical CI/CD breakout with a public PoC is the kind of issue that gets tested quickly by red teams, bug hunters, and attackers scanning for weak self-hosted automation.

What Defenders Should Do Next

First, inventory every Gitea act_runner instance and identify which ones use the Docker backend. If you do not know the backend, treat that as a gap to close immediately. Mapping trust boundaries is just as important as version discovery here, because exploitability depends heavily on who can run or modify workflows targeting those runners.

Second, prioritize exposure based on workflow trust. Public-facing repositories, shared runners, and environments that execute pull-request or contributor-controlled code should move to the top of the response queue. If necessary, temporarily disable those runner assignments while investigating. That is a reasonable business decision for a host-root CI/CD breakout issue with a public PoC and no clearly verified fixed version in hand.

Third, prepare for the possibility that host compromise has already occurred anywhere suspicious workflow activity is found. Preserve runner logs, Docker events, container metadata, and host forensic artifacts before cleanup. Rotate secrets reachable from the runner, rebuild compromised hosts from clean images, and avoid returning the same machine to service without re-provisioning.

ResponderRunbook · act now

How to Detect Attempted Exploitation

Start by auditing workflow definitions in repositories that target self-hosted runners. Search for container.options usage and specifically for high-risk Docker flags such as --pid=host, --cap-add, and --security-opt. In many environments, this YAML review will be the fastest initial scoping method because the exploit path depends on user-controlled workflow configuration.

Second, inspect the runner host’s Docker activity. Because the vulnerable behavior results in Docker job containers being created with unsafe host configuration, Docker daemon events, container inspect output, and process execution history on the runner are high-value evidence sources. You are looking for containers launched by the runner with host namespace access, unusual capability additions, or weakened security profiles.

A third detection angle is host behavior. If a workflow job unexpectedly interacts with host processes, mounts sensitive paths, enumerates /proc broadly, or spawns shells outside expected build steps, escalate quickly. In this case, suspicious behavior on the host may be more reliable than application-layer alerts because CI/CD jobs often execute arbitrary code by design.

Technical Notes

Useful grep patterns for repository and workflow review:

grep -RInE 'container:|options:|--pid=host|--cap-add|--security-opt' /srv/gitea-repos/
grep -RInE 'runs-on:.*self-hosted' /srv/gitea-repos/

Docker log and event review on the runner host:

docker events --since 24h | grep -E 'create|start'
docker ps -aq | xargs -r docker inspect | grep -E '"PidMode":|"CapAdd":|"SecurityOpt":'
journalctl -u docker --since "24 hours ago" | grep -E 'pid=host|cap-add|security-opt'

Concrete detection query example for Docker inspect output:

docker ps -aq | while read c; do
  docker inspect "$c" --format '{{.Id}} {{.HostConfig.PidMode}} {{.HostConfig.CapAdd}} {{.HostConfig.SecurityOpt}}'
done | grep -E ' host |
[.+]|\[[^]]*unconfined[^]]*'

Example suspicious indicators to hunt for:

"PidMode": "host"
"CapAdd": ["SYS_ADMIN"]
"SecurityOpt": ["apparmor=unconfined"]
"SecurityOpt": ["seccomp=unconfined"]

If you centralize telemetry, create alerts on runner hosts for Docker containers started with host PID namespace, added Linux capabilities beyond baseline, or unconfined AppArmor/seccomp profiles.

Mitigation and Patching Guidance

No first-party fixed version is confirmed in the provided sources, so do not claim remediation simply by pointing to a guessed release. The defensible position is: if you use Docker-backed Gitea act_runner and cannot verify from vendor documentation that your deployed version contains a fix for CVE-2026-58053, treat the system as vulnerable and mitigate immediately.

The strongest short-term mitigation is to remove untrusted code execution from Docker-backed runners. That may mean disabling self-hosted Actions for exposed repositories, separating trusted and untrusted projects onto different runner pools, or moving high-risk workflows off Docker-backed act_runner until vendor guidance is available. If your environment supports only trusted internal workflows, confirm that assumption and enforce it with repository permissions, branch protection, and runner scoping.

Runner isolation also matters. Place runners on disposable hosts or dedicated VMs rather than shared infrastructure. Assume a runner compromise can become a host compromise, and design the environment accordingly. Restrict outbound network access, minimize secrets on the host, rotate runner registration tokens, and avoid reusing the same runner for workloads with different trust levels.

Technical Notes

If you need to stop exposure quickly, disable or stop runner services on systems used by untrusted repos:

sudo systemctl stop act_runner
sudo systemctl disable act_runner

If you must keep runners online for trusted workloads only, segregate them and review configuration before restarting:

sudo systemctl status act_runner
sudo systemctl journalctl -u act_runner -n 200

Review workflow files and remove dangerous container options immediately:

grep -RInE 'options:\s*.*(--pid=host|--cap-add|--security-opt)' /srv/gitea-repos/

Example workaround by editing workflow YAML to remove unsafe options:

# vulnerable pattern
container:
  image: alpine:latest
  options: --pid=host --cap-add=SYS_ADMIN --security-opt apparmor=unconfined

# safer interim pattern
container:
  image: alpine:latest

If your package or deployment method allows controlled upgrades, verify available runner releases first rather than assuming a fixed build:

act_runner --version
docker version

If you deploy the runner in a container, pin image updates only after validating vendor release notes:

docker ps --filter name=act_runner
docker inspect act_runner --format '{{.Config.Image}}'

Because the exact fixed version is unknown from the supplied sources, the safest workaround is operational: restrict who can run workflows, isolate runner hosts, and suspend Docker-backed runners for untrusted workloads until authoritative vendor patch guidance is confirmed.

References

  • NVD record for CVE-2026-58053
  • CISA KEV lookup result for CVE-2026-58053: not listed
  • Public PoC: https://github.com/bikini/exploitarium/tree/main/gitea-act-runner-container-options-poc
  • Third-party advisory: https://www.vulncheck.com/advisories/gitea-act-runner-container-hardening-bypass-via-workflow-container-options
  • Gitea runner releases: https://gitea.com/gitea/runner/releases
  • Gitea act_runner documentation: https://docs.gitea.com/usage/actions/act-runner

For additional context on security practices, you may refer to our articles on Insecure Direct Object Reference and SQL Injection.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-28

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.