{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34041", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T15:29:04.744Z", "datePublished": "2026-03-31T01:43:25.074Z", "dateUpdated": "2026-04-02T14:49:57.581Z"}, "containers": {"cna": {"title": "act: Unrestricted set-env and add-path command processing enables environment injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw"}, {"name": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a", "tags": ["x_refsource_MISC"], "url": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a"}, {"name": "https://github.com/nektos/act/releases/tag/v0.2.86", "tags": ["x_refsource_MISC"], "url": "https://github.com/nektos/act/releases/tag/v0.2.86"}], "affected": [{"vendor": "nektos", "product": "act", "versions": [{"version": "< 0.2.86", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:43:25.074Z"}, "descriptions": [{"lang": "en", "value": "act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86."}], "source": {"advisory": "GHSA-xmgr-9pqc-h5vw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:49:17.186865Z", "id": "CVE-2026-34041", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:49:57.581Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34041", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T14:49:17.186865Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:49:34.731Z"}}], "cna": {"title": "act: Unrestricted set-env and add-path command processing enables environment injection", "source": {"advisory": "GHSA-xmgr-9pqc-h5vw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nektos", "product": "act", "versions": [{"status": "affected", "version": "< 0.2.86"}]}], "references": [{"url": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw", "name": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a", "name": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nektos/act/releases/tag/v0.2.86", "name": "https://github.com/nektos/act/releases/tag/v0.2.86", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:43:25.074Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34041", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:49:57.581Z", "dateReserved": "2026-03-25T15:29:04.744Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T01:43:25.074Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nektos:act:*:*:*:*:*:*:*:*", "matchCriteriaId": "32DCBFDE-C658-4FEA-9386-FDF06A894809", "versionEndExcluding": "0.2.86", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86."}, {"lang": "es", "value": "act es un proyecto que permite la ejecuci\u00f3n local de acciones de GitHub. Antes de la versi\u00f3n 0.2.86, act procesa incondicionalmente los comandos de flujo de trabajo obsoletos ::set-env:: y ::add-path::, lo cual fue deshabilitado debido a riesgos de inyecci\u00f3n de entorno. Cuando un paso de flujo de trabajo hace eco de datos no confiables a stdout, un atacante puede inyectar estos comandos para establecer variables de entorno arbitrarias o modificar la variable PATH para todos los pasos subsiguientes en el trabajo. Este problema ha sido parcheado en la versi\u00f3n 0.2.86."}], "id": "CVE-2026-34041", "lastModified": "2026-04-06T15:34:15.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:58.053", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/nektos/act/releases/tag/v0.2.86"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.2.86)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "act", "source": "cna", "vendor": "nektos"}, "product": "act", "vendor": "nektos"}], "analysis": {"en": {"generated_at": "2026-04-06T19:48:21.596480+00:00", "value": {"mitigation_remediation": ["Upgrade act to version 0.2.86 or later."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted environment variable injection and PATH manipulation"}, "threat_synthesis": {"affected_systems": "Affected are installations of the nektos act tool prior to version 0.2.86. The advisory states that starting with release 0.2.86 the processing of ::set-env:: and ::add-path:: commands has been removed, mitigating the risk. Any environment running older releases should be considered vulnerable.", "description_and_impact": "The vulnerability resides in the local workflow runner \"act\" which unconditionally processes deprecated ::set-env:: and ::add-path:: commands. If a workflow step echoes untrusted data to stdout, those commands can be injected to set arbitrary environment variables or alter the PATH for all subsequent steps. This creates an opportunity for an attacker to influence the execution environment of later steps, potentially enabling execution of malicious code or altering program behavior. The weakness is a classic form of input parsing flaw described by CWE\u201174.", "risk_and_exploitability": "The CVSS score of 7.7 classifies the issue as high severity, reflecting the potential impact of environment manipulation. The EPSS score indicates less than 1% likelihood of exploitation in the wild, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. However, the attack vector requires an attacker to supply or influence untrusted input echoed within a workflow step; therefore, any CI pipeline that accepts untrusted data is at risk. Exploitation would be straightforward for a developer or CI operator with access to the workflow file or its inputs, making the risk moderate to high in such settings."}}}}, "created": "2026-03-31T19:56:27.712109+00:00", "updated": "2026-04-07T08:08:13.641517+00:00", "vendors": ["nektos", "nektos$PRODUCT$act"]}