A critical flaw in Gitea act_runner and a separate compromise of popular GitHub Actions highlighted how CI/CD platforms can be turned into high-impact attack paths. In Gitea, CVE-2026-58053 allows a user with workflow execution privileges to escape a Docker-backed job container and gain root access on the host by abusing unsafe Docker options merged from container.options, including --pid=host, --cap-add, and --security-opt. The issue affects Docker-backed act_runner deployments through version 0.262.0, putting source code, build systems, and deployment credentials at risk.
In the GitHub ecosystem, attackers compromised tags for tj-actions/changed-files and several reviewdog actions in a supply-chain campaign tracked as CVE-2025-30066 and CVE-2025-30154, causing CI/CD secrets to be written into workflow logs and potentially exposed, especially in public repositories. Reporting tied the activity to an intrusion that likely began with Coinbase-related targets before expanding more broadly. Defenders were urged to upgrade vulnerable Gitea runners, restrict workflow container options, audit workflows and logs, remove affected actions, rotate exposed secrets, preserve and then delete compromised logs, and pin GitHub Actions to full commit hashes.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
The source states that a fix is available in act_runner 0.262.0 for CVE-2026-58053. At the time of publication, it also noted there was no public proof-of-concept or confirmed active exploitation.
A critical container escape vulnerability in Gitea act_runner was disclosed, affecting the Docker backend through version 0.262.0. The flaw allows users with workflow execution privileges to inject dangerous Docker options and escape the job container to the host as root.
In March 2025, attackers modified tags for tj-actions/changed-files and several reviewdog actions so they pointed to malicious commits. The injected code exfiltrated CI/CD secrets by writing them into GitHub Actions workflow logs, and the campaign was tracked as CVE-2025-30066 and CVE-2025-30154.
Reporting cited in the source says the March 2025 campaign likely started as a targeted intrusion against Coinbase repositories before expanding into broader abuse of compromised GitHub Action tags.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.