CVE-2026-26189 Overview
A command injection vulnerability has been identified in aquasecurity/trivy-action, a popular GitHub Action used to scan Docker container images for vulnerabilities using Trivy. The vulnerability exists in versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes export VAR=<input> lines to trivy_envs.txt based on user-supplied inputs and subsequently sources this file in entrypoint.sh. Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., $(...), backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context.
Critical Impact
Attackers with access to user input in GitHub workflows can achieve arbitrary command execution within the GitHub Actions runner context by injecting shell metacharacters into Trivy Action inputs.
Affected Products
- aquasecurity/trivy-action versions 0.31.0 through 0.33.1
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-26189 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26189
Vulnerability Analysis
This command injection vulnerability (CWE-78) stems from a design flaw in how trivy-action handles user-provided inputs. The action takes various configuration inputs from the workflow YAML file and writes them to an environment file (trivy_envs.txt) using a simple export VAR=<input> pattern. This file is then sourced by the shell in entrypoint.sh to set up the runtime environment.
The core issue is the absence of proper shell escaping when writing user-controlled values to the environment file. When the shell sources this file, any embedded shell metacharacters—such as command substitution syntax like $(command) or backticks—are evaluated by the shell interpreter. This allows an attacker who can influence the action inputs (through pull requests, issue templates, or other workflow triggers that incorporate user data) to execute arbitrary commands in the context of the GitHub Actions runner.
The vulnerability requires that a consuming workflow passes attacker-controlled data into action inputs that are written to trivy_envs.txt. Workflows that only use static, developer-controlled values in their Trivy Action configurations are not affected.
Root Cause
The root cause is the lack of shell escaping when writing user-supplied input values to trivy_envs.txt. The action concatenates raw input values into shell export statements without sanitization, creating a classic command injection vector when the file is sourced.
Attack Vector
The attack vector is network-based but requires high privileges—specifically, the ability to influence workflow inputs. An attacker must be able to inject shell metacharacters into workflow inputs that get processed by the vulnerable Trivy Action versions. Common attack scenarios include:
- Crafted pull request titles or branch names that flow into action inputs
- Issue templates where user input is passed to the action
- Workflow dispatch inputs from malicious actors with repository access
The patch in version 0.34.0 addresses this by implementing proper shell escaping or eliminating the vulnerable source ./trivy_envs.txt pattern entirely.
#!/bin/bash
set -euo pipefail
# Read TRIVY_* envs from file, previously they were written to the GITHUB_ENV file but GitHub Actions automatically
# injects those into subsequent job steps which means inputs from one trivy-action invocation were leaking over to
# any subsequent invocation which led to unexpected/undesireable behaviour from a user perspective
# See #422 for more context around this
if [ -f ./trivy_envs.txt ]; then
source ./trivy_envs.txt
fi
# Set artifact reference
scanType="${INPUT_SCAN_TYPE:-image}"
scanRef="${INPUT_SCAN_REF:-.}"
Source: GitHub Commit
Detection Methods for CVE-2026-26189
Indicators of Compromise
- Unexpected command execution or process spawning during GitHub Actions workflow runs using Trivy Action
- Unusual network connections or data exfiltration attempts from GitHub Actions runners
- Workflow logs showing shell metacharacters being processed in environment variable assignments
- Anomalous modifications to trivy_envs.txt file contents during action execution
Detection Strategies
- Audit GitHub Actions workflow files for uses of aquasecurity/trivy-action@v0.31.0 through aquasecurity/trivy-action@v0.33.1
- Review workflow configurations that pass dynamic or user-controlled data into Trivy Action inputs
- Implement GitHub Actions workflow analysis to detect potentially dangerous input patterns containing shell metacharacters
- Monitor repository activity for pull requests or issues attempting to inject command substitution syntax
Monitoring Recommendations
- Enable comprehensive logging for GitHub Actions workflows to capture input values and execution traces
- Implement alerts for workflows using vulnerable Trivy Action versions
- Review Actions runner logs for signs of unexpected command execution or environment manipulation
- Audit dependencies and pinned action versions across repositories using automated scanning tools
How to Mitigate CVE-2026-26189
Immediate Actions Required
- Upgrade aquasecurity/trivy-action to version 0.34.0 or later immediately
- Audit all workflows using Trivy Action to identify those passing user-controlled data into action inputs
- Pin action versions explicitly using full commit SHA hashes rather than floating tags
- Review recent workflow runs for any suspicious activity that may indicate exploitation attempts
Patch Information
The vulnerability is fixed in aquasecurity/trivy-action version 0.34.0. The fix properly escapes shell values or eliminates the vulnerable source ./trivy_envs.txt pattern. Organizations should update their workflow files to reference the patched version. For more details, see the GitHub Security Advisory.
Workarounds
- Avoid passing attacker-controlled or user-supplied data into Trivy Action inputs until upgrade is complete
- Validate and sanitize any external inputs before passing them to the action
- Use static, hardcoded values for action inputs where possible
- Implement workflow restrictions to limit who can trigger workflows that use the vulnerable action
# Example: Pin to patched version using commit SHA for security
# In your GitHub Actions workflow file (.github/workflows/*.yml)
- uses: aquasecurity/trivy-action@bc61dc55704e2d5704760f3cdab0d09acf16e4ca
with:
image-ref: 'your-image:tag'
# Use only static, developer-controlled values for inputs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
