{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26189", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-11T19:56:24.812Z", "datePublished": "2026-02-19T19:07:49.631Z", "dateUpdated": "2026-02-19T21:23:33.970Z"}, "containers": {"cna": {"title": "Trivy Action has a script injection via sourced env file in composite action", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5"}, {"name": "https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a65ad7d404b045", "tags": ["x_refsource_MISC"], "url": "https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a65ad7d404b045"}, {"name": "https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0d09acf16e4ca", "tags": ["x_refsource_MISC"], "url": "https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0d09acf16e4ca"}], "affected": [{"vendor": "aquasecurity", "product": "trivy-action", "versions": [{"version": ">= 0.31.0, < 0.34.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:07:49.631Z"}, "descriptions": [{"lang": "en", "value": "Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`. Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context. Version 0.34.0 contains a patch for this issue. The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor. Workflows that do not pass attacker-controlled data into `trivy-action` inputs, workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern, and workflows where user input is not accessible are not affected."}], "source": {"advisory": "GHSA-9p44-j4g5-cfx5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:57:39.602807Z", "id": "CVE-2026-26189", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:23:33.970Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T20:57:39.602807Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:57:41.132Z"}}], "cna": {"title": "Trivy Action has a script injection via sourced env file in composite action", "source": {"advisory": "GHSA-9p44-j4g5-cfx5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "aquasecurity", "product": "trivy-action", "versions": [{"status": "affected", "version": ">= 0.31.0, < 0.34.0"}]}], "references": [{"url": "https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5", "name": "https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a65ad7d404b045", "name": "https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a65ad7d404b045", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0d09acf16e4ca", "name": "https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0d09acf16e4ca", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`. Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context. Version 0.34.0 contains a patch for this issue. The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor. Workflows that do not pass attacker-controlled data into `trivy-action` inputs, workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern, and workflows where user input is not accessible are not affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:07:49.631Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26189", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:23:33.970Z", "dateReserved": "2026-02-11T19:56:24.812Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T19:07:49.631Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aquasec:trivy_action:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD6A33D0-39BB-4094-8074-8D47D2C1F437", "versionEndExcluding": "0.34.1", "versionStartIncluding": "0.31.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`. Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context. Version 0.34.0 contains a patch for this issue. The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor. Workflows that do not pass attacker-controlled data into `trivy-action` inputs, workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern, and workflows where user input is not accessible are not affected."}, {"lang": "es", "value": "Trivy Action ejecuta Trivy como acci\u00f3n de GitHub para escanear una imagen de contenedor Docker en busca de vulnerabilidades. Una vulnerabilidad de inyecci\u00f3n de comandos existe en las versiones 0.31.0 a 0.33.1 de `aquasecurity/trivy-action` debido a un manejo inadecuado de las entradas de la acci\u00f3n al exportar variables de entorno. La acci\u00f3n escribe l\u00edneas 'export VAR=' en `trivy_envs.txt` bas\u00e1ndose en entradas proporcionadas por el usuario y posteriormente carga este archivo en `entrypoint.sh`. Debido a que los valores de entrada se escriben sin el escape de shell adecuado, la entrada controlada por el atacante que contiene metacaracteres de shell (por ejemplo, '$(...)', comillas invertidas u otra sintaxis de sustituci\u00f3n de comandos) puede ser evaluada durante el proceso de carga. Esto puede resultar en la ejecuci\u00f3n arbitraria de comandos dentro del contexto del ejecutor de GitHub Actions. La versi\u00f3n 0.34.0 contiene un parche para este problema. La vulnerabilidad es explotable cuando un flujo de trabajo consumidor pasa datos controlados por el atacante a cualquier entrada de acci\u00f3n que se escriba en `trivy_envs.txt`. Se requiere acceso a la entrada del usuario por parte del actor malicioso. Los flujos de trabajo que no pasan datos controlados por el atacante a las entradas de `trivy-action`, los flujos de trabajo que se actualizan a una versi\u00f3n parcheada que escapa correctamente los valores de shell o elimina el patr\u00f3n 'source ./trivy_envs.txt', y los flujos de trabajo donde la entrada del usuario no es accesible no se ven afectados."}], "id": "CVE-2026-26189", "lastModified": "2026-02-26T02:55:00.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-19T20:25:42.120", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a65ad7d404b045"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0d09acf16e4ca"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.31.0,0.34.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "trivy-action", "source": "cna", "vendor": "aquasecurity"}, "product": "trivy-action", "vendor": "aquasecurity"}], "analysis": {"en": {"generated_at": "2026-04-18T11:45:32.090794+00:00", "value": {"mitigation_remediation": ["Upgrade aquasecurity/trivy-action to version 0.34.0 or later, which correctly escapes shell values or removes the source of the env file.", "During workflow design, avoid feeding untrusted or externally supplied data into any input that the action will export to trivy_envs.txt; validate or sanitise such inputs before they reach the action.", "If an upgrade is not immediately possible, disable the sourcing of trivy_envs.txt in the action\u2019s entrypoint or replace the composite action with a manually invoked, hardened script that performs the same scan without dynamic env sourcing."], "summary": {"action": "Update", "impact": "Command Injection / Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "aquasecurity:trivy-action versions 0.31.0 through 0.33.1 are affected when they are used in a GitHub Actions workflow that accepts attacker\u2011controlled values for any input that ends up written to trivy_envs.txt. The vulnerability is patched in 0.34.0. Workflows that do not forward untrusted data to those inputs, or that update to the patched release, are not vulnerable.", "description_and_impact": "The vulnerability arises from improper handling of user\u2011supplied inputs when the Trivy Action writes environment variables to a file and then sources that file. Because the input values are written without shell escaping, an attacker who can influence any action input can inject shell metacharacters, causing the GitHub Actions runner to execute arbitrary commands at the environment of the job. This represents a classic shell injection (CWE\u201178) that can compromise secrets, access control, or the build environment.", "risk_and_exploitability": "The CVSS base score of 5.9 indicates a medium impact, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires that the adversary can supply or manipulate job inputs within a GitHub Actions workflow; once the action sources the env file, the injected commands run with the permissions of the runner. While the probability of exploitation is low, the potential consequences for compromise of the runner and the build pipeline are significant."}}}}, "created": "2026-02-20T10:05:52.235573+00:00", "updated": "2026-04-18T11:45:44.603004+00:00", "vendors": ["aquasecurity", "aquasecurity$PRODUCT$trivy-action"]}