Vulnerability-Lookup

WID-SEC-W-2026-0898

Vulnerability from csaf_certbund - Published: 2026-03-29 22:00 - Updated: 2026-03-29 22:00

Summary

Aqua Security Trivy: Schwachstelle ermöglicht vollständige Kompromittierung des Systems

Severity

Kritisch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Aqua Security Trivy ist ein Open-Source-Sicherheitsscanner, der Schwachstellen in Container-Images, Dateisystemen und Git-Repositories identifiziert.

Angriff: Ein Angreifer kann eine Schwachstelle in Aqua Security Trivy ausnutzen, um das vollständige System zu kompromittieren.

Betroffene Betriebssysteme: - Linux - MacOS X - UNIX - Windows

CVE-2026-33634

Affected products

Known affected 5 products

Product	Identifier	Version
Aqua Security Trivy Container Image 0.69.6 Aqua Security / Trivy	`cpe:/a:aquasec:trivy:0.69.6::container_image`	Container Image 0.69.6
Aqua Security Trivy trivy-action <0.35.0 Aqua Security / Trivy		trivy-action <0.35.0
Aqua Security Trivy 0.69.4 Aqua Security / Trivy	`cpe:/a:aquasec:trivy:0.69.4`	0.69.4
Aqua Security Trivy Container Image 0.69.5 Aqua Security / Trivy	`cpe:/a:aquasec:trivy:0.69.5::container_image`	Container Image 0.69.5
Aqua Security Trivy setup-trivy <0.2.6 Aqua Security / Trivy		setup-trivy <0.2.6

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/aquasecurity/trivy/security/ad…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "kritisch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Aqua Security Trivy ist ein Open-Source-Sicherheitsscanner, der Schwachstellen in Container-Images, Dateisystemen und Git-Repositories identifiziert.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann eine Schwachstelle in Aqua Security Trivy ausnutzen, um das vollst\u00e4ndige System zu kompromittieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0898 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0898.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0898 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0898"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-69fq-xp46-6x23 vom 2026-03-29",
        "url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23"
      }
    ],
    "source_lang": "en-US",
    "title": "Aqua Security Trivy: Schwachstelle erm\u00f6glicht vollst\u00e4ndige Kompromittierung des Systems",
    "tracking": {
      "current_release_date": "2026-03-29T22:00:00.000+00:00",
      "generator": {
        "date": "2026-03-30T10:58:58.960+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0898",
      "initial_release_date": "2026-03-29T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-29T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "0.69.4",
                "product": {
                  "name": "Aqua Security Trivy 0.69.4",
                  "product_id": "BDDEEC2E-7F87-41EA-915F-F4710B1DADFC",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:aquasec:trivy:0.69.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "setup-trivy \u003c0.2.6",
                "product": {
                  "name": "Aqua Security Trivy setup-trivy \u003c0.2.6",
                  "product_id": "T052244"
                }
              },
              {
                "category": "product_version",
                "name": "setup-trivy 0.2.6",
                "product": {
                  "name": "Aqua Security Trivy setup-trivy 0.2.6",
                  "product_id": "T052244-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:aquasec:trivy:0.2.6::setup-trivy"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "trivy-action \u003c0.35.0",
                "product": {
                  "name": "Aqua Security Trivy trivy-action \u003c0.35.0",
                  "product_id": "T052245"
                }
              },
              {
                "category": "product_version",
                "name": "trivy-action 0.35.0",
                "product": {
                  "name": "Aqua Security Trivy trivy-action 0.35.0",
                  "product_id": "T052245-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:aquasec:trivy:0.35.0::trivy-action"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Container Image 0.69.5",
                "product": {
                  "name": "Aqua Security Trivy Container Image 0.69.5",
                  "product_id": "T052246",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:aquasec:trivy:0.69.5::container_image"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Container Image 0.69.6",
                "product": {
                  "name": "Aqua Security Trivy Container Image 0.69.6",
                  "product_id": "T052247",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:aquasec:trivy:0.69.6::container_image"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Trivy"
          }
        ],
        "category": "vendor",
        "name": "Aqua Security"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33634",
      "product_status": {
        "known_affected": [
          "T052247",
          "T052245",
          "BDDEEC2E-7F87-41EA-915F-F4710B1DADFC",
          "T052246",
          "T052244"
        ]
      },
      "release_date": "2026-03-29T22:00:00.000+00:00",
      "title": "CVE-2026-33634"
    }
  ]
}

CVE-2026-33634 (GCVE-0-2026-33634)

Vulnerability from cvelistv5 – Published: 2026-03-23 21:47 – Updated: 2026-03-30 14:40

Title

Trivy ecosystem supply chain briefly compromised

Summary

Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 – 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 – 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one's environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one's organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19–20, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one's GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don't use mutable version tags.

Severity

9.4 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

SSVC

Exploitation: active Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-506 - Embedded Malicious Code

Assigner

GitHub_M

References

14 references

URL	Tags
https://github.com/aquasecurity/trivy/security/ad…	x_refsource_CONFIRM
https://github.com/team-telnyx/telnyx-python/secu…	x_refsource_MISC
https://github.com/BerriAI/litellm/issues/24518	x_refsource_MISC
https://docs.litellm.ai/blog/security-update-march-2026	x_refsource_MISC
https://futuresearch.ai/blog/litellm-pypi-supply-…	x_refsource_MISC
https://github.com/aquasecurity/trivy/discussions/10425	x_refsource_MISC
https://github.com/pypa/advisory-database/tree/ma…	x_refsource_MISC
https://inspector.pypi.io/project/litellm/1.82.7/…	x_refsource_MISC
https://inspector.pypi.io/project/litellm/1.82.8/…	x_refsource_MISC
https://www.wiz.io/blog/teampcp-attack-kics-githu…	x_refsource_MISC
https://rosesecurity.dev/2026/03/20/typosquatting…	exploit
https://www.microsoft.com/en-us/security/blog/202…	third-party-advisory
https://github.com/BerriAI/litellm/issues/24518#i…	third-party-advisory
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

5 products

Vendor	Product	Version
aquasecurity	setup-trivy	Affected: < 0.2.6
aquasecurity	trivy-action	Affected: < 0.35.0
aquasecurity	trivy	Affected: = 0.69.4
BerriAI	LiteLLM	Affected: >= 1.82.7, <= 1.82.8
team-telnyx	telnyx	Affected: >= 4.87.1, <= 4.87.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33634",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-03-26",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T03:55:31.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://rosesecurity.dev/2026/03/20/typosquatting-trivy.html"
          },
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/"
          },
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://github.com/BerriAI/litellm/issues/24518#issuecomment-4127436387"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33634"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-26T00:00:00.000Z",
            "value": "CVE-2026-33634 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "setup-trivy",
          "vendor": "aquasecurity",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.2.6"
            }
          ]
        },
        {
          "product": "trivy-action",
          "vendor": "aquasecurity",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.35.0"
            }
          ]
        },
        {
          "product": "trivy",
          "vendor": "aquasecurity",
          "versions": [
            {
              "status": "affected",
              "version": "= 0.69.4"
            }
          ]
        },
        {
          "product": "LiteLLM",
          "vendor": "BerriAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.82.7, \u003c= 1.82.8"
            }
          ]
        },
        {
          "product": "telnyx",
          "vendor": "team-telnyx",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.87.1, \u003c= 4.87.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-trivy` with malicious commits. This incident is a continuation of the supply chain attack that began in late February 2026. Following the initial disclosure on March 1, credential rotation was performed but was not atomic (not all credentials were revoked simultaneously). The attacker could have use a valid token to exfiltrate newly rotated secrets during the rotation window (which lasted a few days). This could have allowed the attacker to retain access and execute the March 19 attack. Affected components include the `aquasecurity/trivy` Go / Container image version 0.69.4, the `aquasecurity/trivy-action` GitHub Action versions 0.0.1 \u2013 0.34.2 (76/77), and the`aquasecurity/setup-trivy` GitHub Action versions 0.2.0 \u2013 0.2.6, prior to the recreation of 0.2.6 with a safe commit. Known safe versions include versions 0.69.2 and 0.69.3 of the Trivy binary, version 0.35.0 of trivy-action, and version 0.2.6 of setup-trivy. Additionally, take other mitigations to ensure the safety of secrets. If there is any possibility that a compromised version ran in one\u0027s environment, all secrets accessible to affected pipelines must be treated as exposed and rotated immediately. Check whether one\u0027s organization pulled or executed Trivy v0.69.4 from any source. Remove any affected artifacts immediately. Review all workflows using `aquasecurity/trivy-action` or `aquasecurity/setup-trivy`. Those who referenced a version tag rather than a full commit SHA should check workflow run logs from March 19\u201320, 2026 for signs of compromise. Look for repositories named `tpcp-docs` in one\u0027s GitHub organization. The presence of such a repository may indicate that the fallback exfiltration mechanism was triggered and secrets were successfully stolen. Pin GitHub Actions to full, immutable commit SHA hashes, don\u0027t use mutable version tags."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "CWE-506: Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T14:40:28.027Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23"
        },
        {
          "name": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/team-telnyx/telnyx-python/security/advisories/GHSA-955r-262c-33jc"
        },
        {
          "name": "https://github.com/BerriAI/litellm/issues/24518",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/BerriAI/litellm/issues/24518"
        },
        {
          "name": "https://docs.litellm.ai/blog/security-update-march-2026",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.litellm.ai/blog/security-update-march-2026"
        },
        {
          "name": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack"
        },
        {
          "name": "https://github.com/aquasecurity/trivy/discussions/10425",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aquasecurity/trivy/discussions/10425"
        },
        {
          "name": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pypa/advisory-database/tree/main/vulns/litellm/PYSEC-2026-2.yaml"
        },
        {
          "name": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://inspector.pypi.io/project/litellm/1.82.7/packages/79/5f/b6998d42c6ccd32d36e12661f2734602e72a576d52a51f4245aef0b20b4d/litellm-1.82.7-py3-none-any.whl/litellm/proxy/proxy_server.py#line.130"
        },
        {
          "name": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://inspector.pypi.io/project/litellm/1.82.8/packages/f6/2c/731b614e6cee0bca1e010a36fd381fba69ee836fe3cb6753ba23ef2b9601/litellm-1.82.8.tar.gz/litellm-1.82.8/litellm_init.pth#line.1"
        },
        {
          "name": "https://www.wiz.io/blog/teampcp-attack-kics-github-action",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action"
        }
      ],
      "source": {
        "advisory": "GHSA-69fq-xp46-6x23",
        "discovery": "UNKNOWN"
      },
      "title": "Trivy ecosystem supply chain briefly compromised"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33634",
    "datePublished": "2026-03-23T21:47:29.636Z",
    "dateReserved": "2026-03-23T14:24:11.619Z",
    "dateUpdated": "2026-03-30T14:40:28.027Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0898

CVE-2026-33634 (GCVE-0-2026-33634)

Tags

Sightings

Nomenclature