Security Advisory - Published 2026-06-29 - DevOps / CI Runner
Gitea act_runner Docker backend: review runner isolation and workflow permissions
CVE-2026-58053 matters when Gitea act_runner uses Docker-backed workflow jobs on hosts that also hold sensitive services, secrets, or network access. Treat the runner host as a security boundary, not just a build worker.
Affected CVE
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-58053 | Gitea act_runner | through act 0.262.0 | runner config and workflow access | 9.9 |
What to check
- Gitea act_runner deployments using the Docker backend through act 0.262.0.
- Runner hosts shared with production services, deployment keys, registries, or internal networks.
- Repositories where users outside the operations team can create or edit workflow files.
- Runner configuration, Docker daemon access, mounted volumes, job logs, and unexpected container lifecycle events.
Safe fix path
- Restrict workflow execution to trusted repositories and users while the runner is reviewed.
- Move Docker-backed runners to isolated hosts with no production secrets or broad internal network reach.
- Apply vendor hardening guidance or fixed packages when available.
- Rotate runner tokens and credentials exposed to jobs if the runner host cannot be ruled clean.
Compromise indicators
- Unexpected workflow edits, unusual runner job history, or jobs run by accounts that do not normally deploy.
- Containers with unusual host visibility, unexpected mounts, or access to sensitive service paths.
- New SSH keys, changed deployment credentials, unknown registry pushes, or suspicious outbound traffic from runner hosts.
- Runner hosts that show process, Docker, or audit logs inconsistent with normal build activity.
When to ask Ping7 for repair
Use Ping7 CVE Repair when runner isolation is unclear, workflow permissions are broad, logs show suspicious jobs, or credential rotation must be coordinated across Git, CI, registry, and servers.