Skip to content

script injection via sourced env file in composite action

Moderate
simar7 published GHSA-9p44-j4g5-cfx5 Feb 18, 2026

Package

No package listed

Affected versions

>= 0.31.0, <= 0.34.0

Patched versions

>=0.34.1

Description

Command Injection in aquasecurity/trivy-action via Unsanitized Environment Variable Export

A command injection vulnerability exists in aquasecurity/trivy-action due to improper handling of action inputs when exporting environment variables. The action writes export VAR=<input> lines to trivy_envs.txt based on user-supplied inputs and subsequently sources this file in entrypoint.sh.

Because input values are written without appropriate shell escaping, attacker-controlled input containing shell metacharacters (e.g., $(...), backticks, or other command substitution syntax) may be evaluated during the sourcing process. This can result in arbitrary command execution within the GitHub Actions runner context.

Severity:

Moderate

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Impact:

Successful exploitation may lead to arbitrary command execution in the CI runner environment.

Affected Versions:

  • Versions >= 0.31.0 and <= 0.33.1
  • Introduced in commit 7aca5ac

Affected Conditions:

The vulnerability is exploitable when a consuming workflow passes attacker-controlled data into any action input that is written to trivy_envs.txt. Access to user input is required by the malicious actor.

A representative exploitation pattern involves incorporating untrusted pull request metadata into an action parameter. For example:

- uses: aquasecurity/trivy-action@0.33.1
  with:
    output: "trivy-${{ github.event.pull_request.title }}.sarif"

If the pull request title contains shell syntax, it may be executed when the generated environment file is sourced.

Not Affected:

  • Workflows that do not pass attacker-controlled data into trivy-action inputs
  • Workflows that upgrade to a patched version that properly escapes shell values or eliminates the source ./trivy_envs.txt pattern
  • Workflows where user input is not accessible.

Call Sites:

  • action.yaml:188set_env_var_if_provided writes unescaped export lines
  • entrypoint.sh:9 — sources ./trivy_envs.txt

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2026-26189

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Credits