ctipilot.ch

Home · Live brief · Weekly 2026-W27

CVE-2026-58053 — Gitea act_runner Docker backend: container-hardening bypass to host escape (public PoC, ENISA-critical)

notable vulnerability discovered 2026-06-29 00:21 UTC

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

Gitea act_runner through 0.262.0 passes a workflow-defined container.options string straight into Docker's HostConfig, forcing only Privileged=false while merging --pid=host, --cap-add and --security-opt unchanged — a malicious workflow escapes the job container to the host (VulnCheck). Public PoC, CVSS 9.4, mitigation-only this week. Self-hosted Gitea CI is common in DACH developer shops and universities; restrict who can define workflow container options. The companion Gitea-core auth bypass via X-WEBAUTH-USER (CVE-2026-20896, fixed in 1.26.3/1.26.4) remains worth patching on the same estate.

vulnerabilities poc-public priv-esc rce enisa-critical global europe switzerland CVE-2026-58053