CVE-2026-58053 (CVSS 9.9) — Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces

A critical vulnerability, CVE-2026-58053, has been published with a CVSS score of 9.9, affecting Gitea act_runner when using the Docker backend up to version act 0.262.0. The flaw allows a malicious workflow to pass arbitrary container.options strings directly to the Docker job container's HostConfig, bypassing the configured privileged: false setting. This effectively enables an attacker to escalate privileges and gain host-level access, potentially compromising the entire CI/CD pipeline and underlying infrastructure.

Organizations using Gitea for source code management and CI/CD, particularly those in software development, fintech, healthcare, and public sector entities with DevOps pipelines, are directly affected. Any EU-regulated entity relying on Gitea act_runner for automated builds or testing should treat this as a high-priority security incident, as it undermines container isolation and could lead to data breaches or system takeover.

Compliance teams should immediately verify the version of act_runner in use and apply any available patches or updates from Gitea. If a fix is not yet released, implement compensating controls such as restricting workflow definitions to trusted users, disabling Docker backend usage, or enforcing strict network segmentation. Document the risk assessment and mitigation steps in your incident response records, as this vulnerability may require notification under GDPR or sector-specific regulations if exploitation is suspected.