Home · Live brief · Weekly 2026-W27
CVE-2026-58053 — Gitea act_runner Docker backend: container-hardening bypass to host escape (public PoC, ENISA-critical)
notable vulnerability discovered 2026-06-29 00:21 UTC
Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))
Gitea act_runner through 0.262.0 passes a workflow-defined container.options string straight into Docker's HostConfig, forcing only Privileged=false while merging --pid=host, --cap-add and --security-opt unchanged — a malicious workflow escapes the job container to the host (VulnCheck). Public PoC, CVSS 9.4, mitigation-only this week. Self-hosted Gitea CI is common in DACH developer shops and universities; restrict who can define workflow container options. The companion Gitea-core auth bypass via X-WEBAUTH-USER (CVE-2026-20896, fixed in 1.26.3/1.26.4) remains worth patching on the same estate.