CVE-2026-58053
Gravedad CVSS v4.0:
CRÍTICA
Tipo:
CWE-269
Gestión de privilegios incorrecta
Fecha de publicación:
28/06/2026
Última modificación:
30/06/2026
Descripción
*** Pendiente de traducción *** Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-opt unchanged. A user who can run a workflow on a Docker-backed runner can create a job container with host namespaces and broad capabilities and escape to the host as root despite privileged mode being disabled.
Impacto
Puntuación base 4.0
9.40
Gravedad 4.0
CRÍTICA
Puntuación base 3.x
9.90
Gravedad 3.x
CRÍTICA



