Plattform
go
Komponente
github.com/nektos/act
Behoben in
0.2.87
0.2.86
CVE-2026-34041 describes an environment injection vulnerability found in act, a fast and compliant GitHub Actions runner. This flaw arises from the unrestricted processing of set-env and add-path commands, allowing attackers to inject malicious environment variables. The vulnerability affects versions of act prior to 0.2.86 and can lead to unauthorized actions if exploited. A fix has been released in version 0.2.86.
An attacker exploiting this vulnerability can inject arbitrary environment variables into the running GitHub Actions workflow. This can lead to a wide range of malicious activities, including stealing sensitive credentials (API keys, passwords) stored as environment variables, modifying workflow behavior to execute arbitrary code, and potentially gaining unauthorized access to connected systems. The impact is particularly severe in CI/CD pipelines, where compromised workflows could inject malicious code into deployed applications or infrastructure. Successful exploitation could lead to data breaches, supply chain attacks, and complete compromise of the affected repository and its associated resources. This vulnerability shares similarities with other environment variable injection flaws, where attackers leverage improper input validation to gain control over the execution context.
CVE-2026-34041 was publicly disclosed on 2026-04-02. The vulnerability's severity is rated HIGH (CVSS 7.5). There are currently no known public proof-of-concept exploits available, but the ease of exploitation makes it a potential target. It is not currently listed on the CISA KEV catalog. Active campaigns exploiting this vulnerability are not yet confirmed, but the potential for abuse warrants immediate attention.
Organizations heavily reliant on GitHub Actions for CI/CD pipelines are at significant risk. This includes development teams using act to accelerate their workflows and those who store sensitive information as environment variables within their GitHub repositories. Shared hosting environments utilizing act also present a heightened risk due to the potential for cross-tenant exploitation.
• linux / server: Monitor GitHub Actions workflow logs for suspicious set-env or add-path commands. Use journalctl to filter for act-related processes and look for unusual environment variable modifications.
journalctl -u act -g 'set-env' --grep 'env=' | less• generic web: Examine GitHub Actions workflow definitions for any insecure usage of set-env or add-path. Review repository access controls to ensure only authorized users can modify workflows.
Public Disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
The primary mitigation for CVE-2026-34041 is to upgrade act to version 0.2.86 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization for set-env and add-path commands within your GitHub Actions workflows. While not a complete solution, restricting the scope of these commands or validating their contents can reduce the attack surface. Additionally, review your GitHub Actions workflows for any hardcoded secrets or sensitive information stored as environment variables, and migrate them to more secure storage mechanisms like GitHub Secrets. After upgrading, verify the fix by running a test workflow that attempts to inject environment variables and confirm that the injection is prevented.
Actualice a la versión 0.2.86 o superior. Esta versión corrige la vulnerabilidad de inyección de entorno al deshabilitar el procesamiento incondicional de los comandos de flujo de trabajo ::set-env:: y ::add-path::.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34041 is a HIGH severity vulnerability in act versions before 0.2.86 that allows attackers to inject environment variables, potentially compromising CI/CD pipelines.
If you are using act versions prior to 0.2.86, you are vulnerable. Check your act version and upgrade immediately.
Upgrade act to version 0.2.86 or later. If immediate upgrade isn't possible, implement stricter input validation for set-env and add-path commands.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation makes it a potential target. Monitor your systems closely.
Refer to the official act GitHub repository and release notes for the advisory and detailed information: https://github.com/nektos/act/releases
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.