CVE-2026-26189

Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`. Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context. Version 0.34.0 contains a patch for this issue. The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor. Workflows that do not pass attacker-controlled data into `trivy-action` inputs, workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern, and workflows where user input is not accessible are not affected.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a65ad7d404b045	Patch
https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0d09acf16e4ca	Patch
https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:aquasec:trivy_action:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-19 20:25

Updated : 2026-02-26 02:55

NVD link : CVE-2026-26189

Mitre link : CVE-2026-26189

CVE.ORG link : CVE-2026-26189

JSON object : View

Products Affected

aquasec

trivy_action

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-26189", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.7}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2026-02-19T20:25:42.120", "references": [{"url": "https://github.com/aquasecurity/trivy-action/commit/7aca5acc9500b463826cc47a47a65ad7d404b045", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/aquasecurity/trivy-action/commit/bc61dc55704e2d5704760f3cdab0d09acf16e4ca", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/aquasecurity/trivy-action/security/advisories/GHSA-9p44-j4g5-cfx5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in `aquasecurity/trivy-action` versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes `export VAR=<input>` lines to `trivy_envs.txt` based on user-supplied inputs and subsequently sources this file in `entrypoint.sh`. Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., `$(...)`, backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context. Version 0.34.0 contains a patch for this issue. The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to `trivy_envs.txt`. Access to user input is required by the malicious actor. Workflows that do not pass attacker-controlled data into `trivy-action` inputs, workflows that upgrade to a patched version that properly escapes shell values or eliminates the `source ./trivy_envs.txt` pattern, and workflows where user input is not accessible are not affected."}, {"lang": "es", "value": "Trivy Action ejecuta Trivy como acci\u00f3n de GitHub para escanear una imagen de contenedor Docker en busca de vulnerabilidades. Una vulnerabilidad de inyecci\u00f3n de comandos existe en las versiones 0.31.0 a 0.33.1 de `aquasecurity/trivy-action` debido a un manejo inadecuado de las entradas de la acci\u00f3n al exportar variables de entorno. La acci\u00f3n escribe l\u00edneas 'export VAR=' en `trivy_envs.txt` bas\u00e1ndose en entradas proporcionadas por el usuario y posteriormente carga este archivo en `entrypoint.sh`. Debido a que los valores de entrada se escriben sin el escape de shell adecuado, la entrada controlada por el atacante que contiene metacaracteres de shell (por ejemplo, '$(...)', comillas invertidas u otra sintaxis de sustituci\u00f3n de comandos) puede ser evaluada durante el proceso de carga. Esto puede resultar en la ejecuci\u00f3n arbitraria de comandos dentro del contexto del ejecutor de GitHub Actions. La versi\u00f3n 0.34.0 contiene un parche para este problema. La vulnerabilidad es explotable cuando un flujo de trabajo consumidor pasa datos controlados por el atacante a cualquier entrada de acci\u00f3n que se escriba en `trivy_envs.txt`. Se requiere acceso a la entrada del usuario por parte del actor malicioso. Los flujos de trabajo que no pasan datos controlados por el atacante a las entradas de `trivy-action`, los flujos de trabajo que se actualizan a una versi\u00f3n parcheada que escapa correctamente los valores de shell o elimina el patr\u00f3n 'source ./trivy_envs.txt', y los flujos de trabajo donde la entrada del usuario no es accesible no se ven afectados."}], "lastModified": "2026-02-26T02:55:00.643", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aquasec:trivy_action:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD6A33D0-39BB-4094-8074-8D47D2C1F437", "versionEndExcluding": "0.34.1", "versionStartIncluding": "0.31.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}