CVE-2026-58053 — Gitea `act_runner` Docker backend: container-hardening bypass to host escape (public PoC, ENISA-critical)

Gitea act_runner through 0.262.0 passes a workflow-defined container.options string straight into Docker's HostConfig, forcing only Privileged=false while merging --pid=host, --cap-add and --security-opt unchanged — a malicious workflow escapes the job container to the host (VulnCheck). Public PoC, CVSS 9.4, mitigation-only this week. Self-hosted Gitea CI is common in DACH developer shops and universities; restrict who can define workflow container options. The companion Gitea-core auth bypass via X-WEBAUTH-USER (CVE-2026-20896, fixed in 1.26.3/1.26.4) remains worth patching on the same estate.