Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Trivy Action allows attackers to run malicious commands in CI runner
CVE-2026-26189
GHSA-9p44-j4g5-cfx5
Summary
The Trivy Action in GitHub Actions can execute arbitrary commands in the CI environment if an attacker injects malicious code into the action's inputs. This can happen if you pass untrusted data into the action's inputs, allowing an attacker to run their own commands. To avoid this, ensure you only pass trusted data to the Trivy Action.
What to do
- Update aquasecurity trivy-action to version 0.34.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| aquasecurity | trivy-action | > 0.31.0 , <= 0.34.0 | 0.34.0 |
| aquasec | trivy_action | > 0.31.0 , <= 0.34.1 | – |
Original title
Trivy Action has a script injection via sourced env file in composite action
Original description
Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export
A command injection vulnerability exists in `aquasecurity/trivy-action` due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`.
Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context.
**Severity:**
Moderate
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
**Impact:**
Successful exploitation may lead to arbitrary command execution in the CI runner environment.
**Affected Versions:**
* Versions >= 0.31.0 and <= 0.33.1
* Introduced in commit `7aca5ac`
**Affected Conditions:**
The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor.
A representative exploitation pattern involves incorporating untrusted pull request metadata into an action parameter. For example:
```yaml
- uses: aquasecurity/[email protected]
with:
output: "trivy-${{ github.event.pull_request.title }}.sarif"
```
If the pull request title contains shell syntax, it may be executed when the generated environment file is sourced.
**Not Affected:**
* Workflows that do not pass attacker-controlled data into `trivy-action` inputs
* Workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern
* Workflows where user input is not accessible.
**Call Sites:**
* `action.yaml:188` — `set_env_var_if_provided` writes unescaped `export` lines
* `entrypoint.sh:9` — sources `./trivy_envs.txt`
A command injection vulnerability exists in `aquasecurity/trivy-action` due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`.
Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context.
**Severity:**
Moderate
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
**Impact:**
Successful exploitation may lead to arbitrary command execution in the CI runner environment.
**Affected Versions:**
* Versions >= 0.31.0 and <= 0.33.1
* Introduced in commit `7aca5ac`
**Affected Conditions:**
The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor.
A representative exploitation pattern involves incorporating untrusted pull request metadata into an action parameter. For example:
```yaml
- uses: aquasecurity/[email protected]
with:
output: "trivy-${{ github.event.pull_request.title }}.sarif"
```
If the pull request title contains shell syntax, it may be executed when the generated environment file is sourced.
**Not Affected:**
* Workflows that do not pass attacker-controlled data into `trivy-action` inputs
* Workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern
* Workflows where user input is not accessible.
**Call Sites:**
* `action.yaml:188` — `set_env_var_if_provided` writes unescaped `export` lines
* `entrypoint.sh:9` — sources `./trivy_envs.txt`
nvd CVSS3.1
8.1
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a6... Patch
- https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0... Patch
- https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26189
- https://github.com/advisories/GHSA-9p44-j4g5-cfx5
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026