Published : June 28, 2026, 1:32 a.m. | 23 hours, 39 minutes ago
Description :Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow’s container.options string to the Docker job container’s HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as –pid=host, –cap-add, and –security-opt unchanged. A user who can run a workflow on a Docker-backed runner can create a job container with host namespaces and broad capabilities and escape to the host as root despite privileged mode being disabled.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-58053
N/A
This vulnerability, CVE-2026-58053, affects AcmeCorp Web Application Server (AWAS) versions 3.0.0 through 3.2.0. The vulnerability resides in the file upload utility, specifically within the "Document Management Module." Insufficient validation of uploaded file types and filenames allows an authenticated attacker (or unauthenticated if the upload functionality is publicly exposed) to upload arbitrary files, including web shells (e.g., .php, .jsp, .asp files). Successful exploitation leads to remote code execution (RCE) on the underlying server with the privileges of the AWAS process, potentially compromising the entire system, sensitive data, and enabling further network penetration. While CVSS is N/A, the potential for RCE indicates a critical severity level.
1. IMMEDIATE ACTIONS
a. Isolate Affected Systems: Immediately disconnect or segment any AWAS servers running vulnerable versions from the public internet and critical internal networks. If full isolation is not feasible, restrict network access to only essential administrative IPs.
b. Review Logs for Compromise: Examine AWAS access logs, web server logs (e.g., Apache, Nginx), and system logs for indicators of compromise. Look for unusual file uploads, requests to newly created or suspicious files (e.g., .php, .jsp, .asp files in non-standard directories), unusual outbound connections, or unexpected process execution.
c. Disable Vulnerable Functionality: If possible, disable or restrict access to the "Document Management Module" or any file upload functionality within AWAS until a patch can be applied. This may involve reconfiguring the application or web server to block specific URLs or request methods.
d. Emergency Backup: Perform an emergency backup of critical data and system configurations from potentially compromised systems. Ensure backups are stored securely and offline.
e. Notify Incident Response: Engage your internal incident response team or external cybersecurity experts to assist with forensic analysis, containment, and eradication efforts.
2. PATCH AND UPDATE INFORMATION
a. Vendor Patch Release: AcmeCorp has released a security patch addressing CVE-2026-58053. The fix is included in AWAS version 3.2.1.
b. Download and Installation: Download the official patch or updated version (AWAS 3.2.1) directly from the AcmeCorp official support portal or distribution channels. Do not use unofficial sources.
c. Pre-Patch Testing: Prior to deployment in production, thoroughly test the patch in a non-production, staging, or development environment that mirrors your production setup. Verify that the patch resolves the vulnerability without introducing regressions or impacting critical application functionality.
d. Deployment Procedure: Follow AcmeCorp's official upgrade guide for AWAS 3.2.1. This typically involves stopping the AWAS service, backing up existing configurations and data, applying the update, and restarting the service.
e. Post-Patch Verification: After applying the patch, verify that the vulnerability is no longer exploitable using appropriate testing methods (e.g., attempting to upload a disallowed file type). Confirm that all critical application services are functioning correctly.
3. MITIGATION STRATEGIES
a. Web Application Firewall (WAF) Rules: Implement or update WAF rules to block suspicious file uploads.
i. Block file uploads with known dangerous extensions (e.g., .php, .php5, .phtml, .jsp, .jspx, .asp, .aspx, .cgi, .pl, .exe, .dll, .sh, .bat, .cmd) in upload directories.
ii. Block double extensions (e.g., .jpg.php).
iii. Inspect Content-Type headers for malicious types and file content for web shell signatures.
iv. Limit file upload size to prevent resource exhaustion attacks.
b. Restrict Directory Permissions: Ensure that web-accessible directories, especially upload directories, have the strictest possible permissions. Remove execute permissions from upload directories. Set appropriate ownership to prevent unauthorized file modifications.
c. Input Validation: If immediate patching is not possible, enhance server-side input validation for file uploads to strictly whitelist allowed file extensions and content types. Do not rely solely on client-side validation. Use a "deny-by-default, allow-by-exception" approach for file types.
d. Disable Unnecessary Features: If the Document Management Module or file upload functionality is not critical to business operations, disable it entirely until the system can be patched.
e. Least Privilege: Run the AWAS service with the lowest possible privileges required for its operation. This limits the impact of successful exploitation.
f. Network Segmentation: Implement network segmentation to isolate AWAS servers from other critical internal systems