Platform
go
Component
github.com/nektos/act
Fixed in
0.2.87
0.2.86
CVE-2026-34041 describes an environment injection vulnerability within act, a fast and compliant GitHub Actions runner. This flaw arises from the unrestricted processing of set-env and add-path commands, allowing attackers to manipulate the execution environment of GitHub Actions workflows. Versions of act prior to 0.2.86 are affected, and a patch has been released to address the issue.
An attacker exploiting this vulnerability can inject arbitrary environment variables into the running GitHub Actions workflow. This can lead to a wide range of malicious activities, including stealing sensitive credentials (API keys, passwords) stored as environment variables, modifying workflow behavior to execute arbitrary code, and potentially gaining unauthorized access to connected systems. The impact is particularly severe in CI/CD pipelines, where compromised workflows could inject malicious code into deployed applications or infrastructure. Successful exploitation could lead to data breaches, supply chain attacks, and complete compromise of the affected repository and its associated resources. This vulnerability shares similarities with other environment variable injection flaws, where attackers leverage improper input validation to gain control over the execution context.
CVE-2026-34041 was publicly disclosed on 2026-04-02. The vulnerability's severity is rated HIGH (CVSS 7.5). There are currently no known public proof-of-concept exploits available, but the ease of exploitation makes it a potential target. It is not currently listed on the CISA KEV catalog. Active campaigns exploiting this vulnerability are not yet confirmed, but the potential for abuse warrants immediate attention.
Exploit Status
EPSS
0.06% (19% percentile)
The primary mitigation for CVE-2026-34041 is to upgrade act to version 0.2.86 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization for set-env and add-path commands within your GitHub Actions workflows. While not a complete solution, restricting the scope of these commands or validating their contents can reduce the attack surface. Additionally, review your GitHub Actions workflows for any hardcoded secrets or sensitive information stored as environment variables, and migrate them to more secure storage mechanisms like GitHub Secrets. After upgrading, verify the fix by running a test workflow that attempts to inject environment variables and confirm that the injection is prevented.
Update to version 0.2.86 or higher. This version fixes the environment injection vulnerability by disabling unconditional processing of the ::set-env:: and ::add-path:: workflow commands.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34041 is a HIGH severity vulnerability in act versions before 0.2.86 that allows attackers to inject environment variables, potentially compromising CI/CD pipelines.
If you are using act versions prior to 0.2.86, you are vulnerable. Check your act version and upgrade immediately.
Upgrade act to version 0.2.86 or later. If immediate upgrade isn't possible, implement stricter input validation for set-env and add-path commands.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation makes it a potential target. Monitor your systems closely.
Refer to the official act GitHub repository and release notes for the advisory and detailed information: https://github.com/nektos/act/releases
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.