{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-58053/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-28T01:32:55.648Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-58053","@id":"https://www.cve.org/CVERecord?id=CVE-2026-58053","description":"Gitea act_runner with the Docker backend (through act 0.262.0) passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-opt unchanged. A user who can run a workflow on a Docker-backed runner can create a job container with host namespaces and broad capabilities and escape to the host as root despite privileged mode being"},"products":[{"@id":"cpe:2.3:a:gitea:act_runner:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:gitea:act_runner:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-28T01:32:55.648Z"}]}