GHSA-9P44-J4G5-CFX5

Vulnerability from github – Published: 2026-02-18 15:24 – Updated: 2026-02-19 21:56
VLAI?
Summary
Trivy Action has a script injection via sourced env file in composite action
Details

Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export

A command injection vulnerability exists in aquasecurity/trivy-action due to improper handling of action inputs when exporting environment variables. The action writes export VAR=<input> lines to trivy_envs.txt based on user-supplied inputs and subsequently sources this file in entrypoint.sh.

Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., $(...), backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context.

Severity:

Moderate

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Impact:

Successful exploitation may lead to arbitrary command execution in the CI runner environment.

Affected Versions:

  • Versions >= 0.31.0 and <= 0.33.1
  • Introduced in commit 7aca5ac

Affected Conditions:

The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to trivy_envs.txt. Access to user input is required by the malicious actor.

A representative exploitation pattern involves incorporating untrusted pull request metadata into an action parameter. For example:

- uses: aquasecurity/trivy-action@0.33.1
  with:
    output: "trivy-${{ github.event.pull_request.title }}.sarif"

If the pull request title contains shell syntax, it may be executed when the generated environment file is sourced.

Not Affected:

  • Workflows that do not pass attacker-controlled data into trivy-action inputs
  • Workflows that upgrade to a patched version that properly escapes shell values or eliminates the source ./trivy_envs.txt pattern
  • Workflows where user input is not accessible.

Call Sites:

  • action.yaml:188set_env_var_if_provided writes unescaped export lines
  • entrypoint.sh:9 — sources ./trivy_envs.txt
Severity ?
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "aquasecurity/trivy-action"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.31.0"
            },
            {
              "fixed": "0.34.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T15:24:43Z",
    "nvd_published_at": "2026-02-19T20:25:42Z",
    "severity": "MODERATE"
  },
  "details": "Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export\n\n\nA command injection vulnerability exists in `aquasecurity/trivy-action` due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=\u003cinput\u003e` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`.\n\nBecause input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context.\n\n**Severity:**\n\nModerate\n\nCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N\n\nCWE-78: Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n**Impact:**\n\nSuccessful exploitation may lead to arbitrary command execution in the CI runner environment.\n\n\n**Affected Versions:**\n\n* Versions \u003e= 0.31.0 and \u003c= 0.33.1\n* Introduced in commit `7aca5ac`\n\n**Affected Conditions:**\n\nThe vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor.\n\nA representative exploitation pattern involves incorporating untrusted pull request metadata into an action parameter. For example:\n\n```yaml\n- uses: aquasecurity/trivy-action@0.33.1\n  with:\n    output: \"trivy-${{ github.event.pull_request.title }}.sarif\"\n```\n\nIf the pull request title contains shell syntax, it may be executed when the generated environment file is sourced.\n\n**Not Affected:**\n\n* Workflows that do not pass attacker-controlled data into `trivy-action` inputs\n* Workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern\n* Workflows where user input is not accessible.\n\n**Call Sites:**\n\n* `action.yaml:188` \u2014 `set_env_var_if_provided` writes unescaped `export` lines\n* `entrypoint.sh:9` \u2014 sources `./trivy_envs.txt`",
  "id": "GHSA-9p44-j4g5-cfx5",
  "modified": "2026-02-19T21:56:21Z",
  "published": "2026-02-18T15:24:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26189"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a65ad7d404b045"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0d09acf16e4ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aquasecurity/trivy-action"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Trivy Action has a script injection via sourced env file in composite action"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.